Opened 8 years ago

Closed 8 years ago

Last modified 5 years ago

#2884 closed bug (Invalid)

VPN killswitch issues (Windows)

Reported by: eguled Owned by:
Priority: major Milestone: needs verified
Component: Unknown Version: 1.3.13
Keywords: windows x64 vpn openvpn firewall killswitch mac macaddress adapter interface magnet magnetlink startup crash Cc:

Description

====================== System: ======================

  • Deluge Versions: 1.3.13. Also confirmed previously with 1.3.12
  • OS: Windows 7 x64
  • Python: I have Python @ the default "C:\Python27"
  • PATH: I have the above path in my Windows PATH variable
  • Browser (Magnetlinks): Firefox (also tried Chrome)

====================== Description: ======================

I have configured OpenVPN + software firewall (Commodo) so that I could have a VPN killswitch (e.g. Deluge only works over the VPN adapter). This works fine with Deluge normally (adding torrent files/download/seeding/etc). However, I have to disable this setup in order to start Deluge (otherwise it crashes) or to add magnet links via browser (otherwise it ignores the magnet link when clicked / launched from commandline).

I have used a blocklist since 1.3.12 but encountered the startup issue prior to configuring that so I don't believe this is related. I have already tried Preferences > Other > "Associate Magnet Links". This does nothing (as noted magnet links work fine if VPN is disabled and everything but magnet and startup work fine when it is enabled).

I saw similar ticket 2793 but:

a) I am referring to 2 specific cases where existing functionality is breaking / causing a crash whereas 2793 was asking for *new* functionality. 2793 could potentially solve my issue also, but I don't feel these are necessarily asking for the same thing.

and

b) Unless I am misunderstanding, the proposed resolution for 2793 (using the IfaceWatch? plugin) specifically states that it is only a viable option on *LINUX/UNIX* systems and will *NOT* work on Windows.

See http://forum.deluge-torrent.org/viewtopic.php?f=9&t=52739

====================== Issues: ======================

  1. The deluge process crashes/fails to start when Firewall/VPN settings are configured to force traffic through VPN device/adapter/interface (MAC address)
  1. Deluge process ignores attempts to add magnet links / fails to bring up add file dialog / fails to add magnet link when Firewall/VPN settings are configured to force traffic through VPN device/adapter/interface (MAC address)
  1. Preferences > Network has an "Interface" section but the UI/UX does not indicate what format / data should be provided here. Some research online indicates this may be expecting an IP address. I have no idea what actually goes in here, so it would be helpful if this was labelled a little better.... maybe add a line such as "This can be an IP address / Unix adapter name (e.g. 'eth0') / MAC address ", " This is only supported on Mac/Linux? ", etc... For me (Windows 7 x64), I tried MAC address (hyphens and then colons) and IP address of said MAC but neither seemed to fix magnet links. Turning off VPN, they work fine.
  1. If I am correct about what is happening with issues 1 and 2, this could potentially be resulting in a situation where the individual's privacy is compromised (as they have to temporarily disable VPN settings to start the app). Admittedly, if privacy is truly a concern, one should be using something more than just a VPN and maybe even setting the VPN via router rather than via software firewall... but still would be good if the app could safeguard against this where possible.

====================== Steps to confirm: ======================

==Initial Setup==

  1. Setup OpenVPN with VPN provider
  2. Setup Firewall (e.g. Commodo / Windows Firewall / etc)
  3. Using "ipconfig /all" command, get "Physical Address"(aka MAC address) for VPN. For OpenVPN, it will be the "TAP-Windows Adapter" one.
  4. In Firewall, configure to allow Deluge only via this MAC address. In Commodo, this is done by creating a new network zone from with the MAC from step 3. Then creating 3 rules: first allow all incoming IP traffic from MAC, second allow all outgoing IP traffic from MAC, third (must be on bottom) to block all traffic NOT to/from MAC.

Detailed instructions here: https://www.bestvpn.com/blog/10218/build-your-own-vpn-kill-switch-in-windows-comodo/

  1. Disable firewall/VPN rules (temporarily)
  2. Start Deluge (give it a couple minutes to be safe)
  3. Enable firewall/VPN rules
  4. Confirm Deluge works normally for *.torrent files to rule out misconfigured Firewall settings. For example, Project Gutenburg DVD which you can find here:

https://www.gutenberg.org/wiki/Gutenberg:The_CD_and_DVD_Project

  1. Disconnect from VPN and confirm that Deluge stops receiving/transmitting to confirm Firewall/VPN settings are correctly configured.

==Recreating Startup Issue==

  1. Exit (close) Deluge
  2. With Firewall/VPN rules enabled, open task manager (or better yet Process Explorer if you have it)
  3. Confirm Deluge is not running (if it is wait / kill process)
  4. Start Deluge and notice that the process launches, then dies

==Recreating Magnet Link Issue==

  1. Repeat steps 5 through 7 to get Deluge started
  2. Attempt to add a magnet link by clicking on one from your browser or alternately by launching the following from the command line (I'm using the magnet link on the Wiki page... link below):
cd /d "C:\Program Files (x86)\Deluge"
deluge.exe "magnet:?xt=urn:btih:c12fe1c06bba254a9dc9f519b335aa7c1367a88a&dn"

Wiki page for magnet links (smaller alternative to previous Gutenburg page listed earlier): https://en.wikipedia.org/wiki/Magnet_URI_scheme#Technical_description

  1. You will not see anything happen. Checking in Deluge, you will not see any new downloads added.
  2. Manually copying the magnet link and clicking the "+" (Add) button and then entering the magnet link works fine. (Delete this when finished).
  3. Disable Firewall/VPN rules.
  4. Repeat step 15.
  5. You will see that Deluge had automatically brought up the Add dialog and added the magnet link and is waiting for you to click OK to confirm.

====================== Suggestions: ======================

  1. As I said above, a simple label for Preferences > Network > "Interface" would go a long way
  1. Supporting MAC address under Preferences > Network > "Interface" would be really cool, if this is a possibility. I am imagining that there would be some kind of API / lookup that could be done to translate this to an IP address, similar to what we do manually when using "ipconfig /all". I'm not familiar with the code... so I understand if it's more involved; just hopeful. :-)
  1. ??? (not sure what would be involved to make it play nice for startup / magnet links)

====================== Short-term Work-arounds: ======================

Not exactly a pleasant experience, but here is a work-around that *should* do the necessary while still respecting the killswitch (most of the time). However, if you're coming back after an application crash / power outage / etc, then you might not be always be able to pause all the downloads from your previous session and this wouldn't really help in that case.

  1. Pause all downloads before exiting / adding magnet links via browser
  2. disable VPN killswitch
  3. restart / add magnets (if magnets then leave Add dialog up... it can collect multiple)
  4. enable VPN killswitch
  5. if magnets, click OK on Add dialog

Other workarounds (haven't tried yet since they seem like overkill):

  • Move to Linux ? (not always an easy transition)
  • Run Deluge in Linux virtual machine and run VM traffic thru Firewall/VPN ?
  • Move VPN to router (not sure if Netflix/Hulu? users can still use VPN ? some routers maybe cant do VPN?)
  • ???

Change History (2)

comment:1 Changed 8 years ago by eguled

*just to clarify, this can be done without commodo using win7 native firewall.

EDIT: I thought the link I posted above also linked to it but looks like only their commodo instructions are still active (win7 firewall link is dead).

Here is an alternate guide: https://practicalrambler.blogspot.com/2011/01/windows-7-firewall-how-to-always-use.html

I have also confirmed both issues under both firewalls. I should probably mention that I am just using default PIA OpenVPN settings + dnsleaktest.com scripts.

I am using the strong config https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip but have confirmed the same behavior under the regular one as well https://www.privateinternetaccess.com/openvpn/openvpn.zip. Other applications that have identical firewall config to Deluge behave correctly. On my firewall logs, I can see that on deluge launch, it tries to making an outbound TCP connection from 127.0.01:50574 to 127.0.01:50573 which gets blocked and then deluge appears to exit immediately after. This only seems to be an issue for Deluge, but I will try to investigate this further to rule out any config problems on my end and report back. I did already try making a rule to allow TCP+UDP (as opposed to just IP) as long as it goes through my VPN adapter, but no dice.

I think my Deluge network settings are using defaults, but just in case I changed something and forgot about it, see below.

Bandwidth and Proxy settings should be default. I am using VPN rather than Proxy as I felt this was the more secure route. I don't use NAT or UPNP as I didn't like the certain security aspects of those configurations. As I mention above, everything works fine except initial startup and automatic adding of magnet links (unless firewall is disabled).

====================== Deluge Network Preferences ======================

Incoming
[ ] Use Random Ports
From 56881 to 58008

Outgoing
[ ] Use Random Ports
From 50000 to 59999

Interface:
- have tried lots of stuff here including "eth0", "my-tap" (renamed adapter to this), the adapter guid as reported by OpenVPN log, MAC address (hyphens), MAC address (colons), static IP address associated with VPN's MAC, etc
- currently blank

Peer TOS Byte:
0x00

Network Extras:
[ ] UPnP
[x] LSD
[ ] NAT-PMP
[x] DHT
[x] Peer Exchange

Encryption:
Inbound=Enabled
Outbound=Enabled
Level=Full Stream
[x] Encrypt entire stream

Version 1, edited 8 years ago by eguled (previous) (next) (diff)

comment:2 Changed 8 years ago by Cas

  • Milestone changed from Future to needs verified
  • Resolution set to Invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.