uhop · May 29, 2023 06:35
diff --git a/README b/README
 # The approach is to mark packets from a specific user,
 # create a dedicated routing table with a default route
 # through the VPN, and force all marked packets to be
 # routed using that table.
 #
 # Sources:
 # https://www.niftiestsoftware.com/2011/08/28/making-all-network-traffic-for-a-linux-user-use-a-specific-network-interface/
 # http://freeaqingme.tweakblogs.net/blog/9340/netflix-using-a-vpn-for-just-one-application.html

 # In this guide
 # 10.8.0.2 IP of VPN tunnel interface (tun0) on machine running transmission
 # 1.1.1.1 IP of external interface (eth0) on the VPN server


 # add to /etc/iproute2/rt_tables:
 200 transmission

 #in /etc/openvpn/client.conf
 script-security 2
 up /etc/openvpn/client/up.sh

 # See up.sh file in this dir: /etc/openvpn/client/up.sh
 # creates fwmark rule and blackhole route to reject

 # In /etc/iptables/iptables.rules

 # This rule identifies packets from the user that we want to route through VPN
 # NOTE: To add another user, the only necessary step is to add another rule like this
 # NOTE: I think group won't work, because GID will match by the primary group of the
 # user that executing the app, not by membership of that user in a group.
 iptables -t mangle -A OUTPUT -m owner --uid-owner transmission -j MARK --set-mark 0x2

 iptables -t nat -A POSTROUTING -o tunoak -j SNAT --to-source 10.8.0.2

 # This rule rejects all pkts until the VPN starts up (up.sh removes this rule),
 # after vpn shuts down, the rejection is done by blackhole route (see up.sh)
 iptables -A OUTPUT -m mark --mark 0x2 -j REJECT

 # In /etc/sysctl.d/net.conf:
 net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.tunoak.rp_filter = 0

 # On VPN server:

 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 51413 -j DNAT --to-destination 10.8.0.2:51413
 iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 51413 -j DNAT --to-destination 10.8.0.2:51413

 # Main NAT rule: re-write source to the VPN server's external IP
 iptables -t nat -A POSTROUTING -s 10.7.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1

 # You can use systemd's iptables.service to restore iptables automatically on
 # boot, that you save with 'iptables-save > /etc/iptables/iptables.rules'

 # Also, on VPN server, in /etc/openvpn/server/server.conf comment out this line
 # to prevent openvpn server forcing the client to forward all traffic through the VPN:
 ;push "redirect-gateway def1 bypass-dhcp"

 # Transmission /var/lib/transmission/.config/transmission-daemon/settings.json
 # Must bind to the VPN tun interface, because otherwise transmission communication
 # breaks across the NAT: netfilter # modifies the outgoing reply UDP packets
 # with wrong source port, because # conntrack can't detect the connection,
 # because it sees a source port from # an interface other than the tunnel
 # interface (despite the packet reaching the destination (it reaches, but
 # with the wrong source port, so transmission rejects it).
 "bind-address-ipv4": "10.8.0.2",

 # not necessary, but just to keep things simple: disable IPv6 by binding it to localhost
 "bind-address-ipv6": "::1",

 # cp /{usr/lib,etc}/systemd/system/transmission.service to disable UPnP port mapping:
 # Add --no-portmap

 # Because of the firewalling, we don't have access to RPC from outside the box
 # See transmission-rpc.service for creating SSH tunnel accessible to outside
diff --git a/transmission-rpc.service b/transmission-rpc.service
 [Unit]
 Description=SSH Tunnel to transmission RPC port
 Wants=network-online.target
 After=network.target network-online.target

 [Service]
 # Create this user with: useradd -r -m -d /var/lib/transmission-rpc transmission-rpc
 # Then login, create an SSH key (no passphrase), and authorize the key, and approve the host as known:
 # sudo su - transmission-rpc
 # ssh-keygen -t rsa
 # cp ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
 # ssh localhost
 User=transmission-rpc
 Group=transmission-rpc
 ExecStart=/usr/bin/ssh -NT -L '*:9191:localhost:9091' localhost
 Restart=on-failure

 [Install]
 WantedBy=default.target
diff --git a/vpn-up.sh b/vpn-up.sh
 #! /bin/bash

 # Must be created in /etc/iproute2/rt_tables
 VPNTABLE=transmission

 # Must match the mark value saved in iptables.rules:
 #  (1) in the rules that mark packets by GUID
 #        -A OUTPUT -m owner --uid-owner $USERNAME -j MARK --set-xmark $MARK
 #  (2) in the rule that rejects all marked packets by default (see below)
 MARK=0x2

 # Gateway of VPN interface
 GATEWAYIP=10.8.0.2

 if [[ `ip rule list | grep -c $MARK` == 0 ]]; then
 	ip rule add from all fwmark $MARK lookup $VPNTABLE
 fi

 ip route replace default via $GATEWAYIP table $VPNTABLE

 # when default route disappears, will fall back to this null route:
 # NOTE: this is crucial, because iptables rejection rule is removed below,
 # so when openvpn-client service is stopped, iptables no longer protects.
 ip route append blackhole default table $VPNTABLE

 ip route flush cache

 # Remove the rejection rule
 if iptables -C OUTPUT -m mark --mark $MARK  -j REJECT
 then
   iptables -D OUTPUT -m mark --mark $MARK -j REJECT
 fi
	# The approach is to mark packets from a specific user,
	# create a dedicated routing table with a default route
	# through the VPN, and force all marked packets to be
	# routed using that table.
	#
	# Sources:
	# https://www.niftiestsoftware.com/2011/08/28/making-all-network-traffic-for-a-linux-user-use-a-specific-network-interface/
	# http://freeaqingme.tweakblogs.net/blog/9340/netflix-using-a-vpn-for-just-one-application.html

	# In this guide
	# 10.8.0.2 IP of VPN tunnel interface (tun0) on machine running transmission
	# 1.1.1.1 IP of external interface (eth0) on the VPN server


	# add to /etc/iproute2/rt_tables:
	200 transmission

	#in /etc/openvpn/client.conf
	script-security 2
	up /etc/openvpn/client/up.sh

	# See up.sh file in this dir: /etc/openvpn/client/up.sh
	# creates fwmark rule and blackhole route to reject

	# In /etc/iptables/iptables.rules

	# This rule identifies packets from the user that we want to route through VPN
	# NOTE: To add another user, the only necessary step is to add another rule like this
	# NOTE: I think group won't work, because GID will match by the primary group of the
	# user that executing the app, not by membership of that user in a group.
	iptables -t mangle -A OUTPUT -m owner --uid-owner transmission -j MARK --set-mark 0x2

	iptables -t nat -A POSTROUTING -o tunoak -j SNAT --to-source 10.8.0.2

	# This rule rejects all pkts until the VPN starts up (up.sh removes this rule),
	# after vpn shuts down, the rejection is done by blackhole route (see up.sh)
	iptables -A OUTPUT -m mark --mark 0x2 -j REJECT

	# In /etc/sysctl.d/net.conf:
	net.ipv4.conf.all.rp_filter = 0
	net.ipv4.conf.tunoak.rp_filter = 0

	# On VPN server:

	iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 51413 -j DNAT --to-destination 10.8.0.2:51413
	iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 51413 -j DNAT --to-destination 10.8.0.2:51413

	# Main NAT rule: re-write source to the VPN server's external IP
	iptables -t nat -A POSTROUTING -s 10.7.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1

	# You can use systemd's iptables.service to restore iptables automatically on
	# boot, that you save with 'iptables-save > /etc/iptables/iptables.rules'

	# Also, on VPN server, in /etc/openvpn/server/server.conf comment out this line
	# to prevent openvpn server forcing the client to forward all traffic through the VPN:
	;push "redirect-gateway def1 bypass-dhcp"

	# Transmission /var/lib/transmission/.config/transmission-daemon/settings.json
	# Must bind to the VPN tun interface, because otherwise transmission communication
	# breaks across the NAT: netfilter # modifies the outgoing reply UDP packets
	# with wrong source port, because # conntrack can't detect the connection,
	# because it sees a source port from # an interface other than the tunnel
	# interface (despite the packet reaching the destination (it reaches, but
	# with the wrong source port, so transmission rejects it).
	"bind-address-ipv4": "10.8.0.2",

	# not necessary, but just to keep things simple: disable IPv6 by binding it to localhost
	"bind-address-ipv6": "::1",

	# cp /{usr/lib,etc}/systemd/system/transmission.service to disable UPnP port mapping:
	# Add --no-portmap

	# Because of the firewalling, we don't have access to RPC from outside the box
	# See transmission-rpc.service for creating SSH tunnel accessible to outside
	[Unit]
	Description=SSH Tunnel to transmission RPC port
	Wants=network-online.target
	After=network.target network-online.target

	[Service]
	# Create this user with: useradd -r -m -d /var/lib/transmission-rpc transmission-rpc
	# Then login, create an SSH key (no passphrase), and authorize the key, and approve the host as known:
	# sudo su - transmission-rpc
	# ssh-keygen -t rsa
	# cp ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
	# ssh localhost
	User=transmission-rpc
	Group=transmission-rpc
	ExecStart=/usr/bin/ssh -NT -L '*:9191:localhost:9091' localhost
	Restart=on-failure

	[Install]
	WantedBy=default.target
	#! /bin/bash

	# Must be created in /etc/iproute2/rt_tables
	VPNTABLE=transmission

	# Must match the mark value saved in iptables.rules:
	# (1) in the rules that mark packets by GUID
	# -A OUTPUT -m owner --uid-owner $USERNAME -j MARK --set-xmark $MARK
	# (2) in the rule that rejects all marked packets by default (see below)
	MARK=0x2

	# Gateway of VPN interface
	GATEWAYIP=10.8.0.2

	if [[ `ip rule list \| grep -c $MARK` == 0 ]]; then
	ip rule add from all fwmark $MARK lookup $VPNTABLE
	fi

	ip route replace default via $GATEWAYIP table $VPNTABLE

	# when default route disappears, will fall back to this null route:
	# NOTE: this is crucial, because iptables rejection rule is removed below,
	# so when openvpn-client service is stopped, iptables no longer protects.
	ip route append blackhole default table $VPNTABLE

	ip route flush cache

	# Remove the rejection rule
	if iptables -C OUTPUT -m mark --mark $MARK -j REJECT
	then
	iptables -D OUTPUT -m mark --mark $MARK -j REJECT
	fi