Opened 20 months ago

Closed 20 months ago

Last modified 9 months ago

#2884 closed bug (Invalid)

VPN killswitch issues (Windows)

Reported by: eguled Owned by:
Priority: major Milestone: needs verified
Component: Unknown Version: 1.3.13
Keywords: windows x64 vpn openvpn firewall killswitch mac macaddress adapter interface magnet magnetlink startup crash Cc:

Description

====================== System: ======================

  • Deluge Versions: 1.3.13. Also confirmed previously with 1.3.12
  • OS: Windows 7 x64
  • Python: I have Python @ the default "C:\Python27"
  • PATH: I have the above path in my Windows PATH variable
  • Browser (Magnetlinks): Firefox (also tried Chrome)

====================== Description: ======================

I have configured OpenVPN + software firewall (Commodo) so that I could have a VPN killswitch (e.g. Deluge only works over the VPN adapter). This works fine with Deluge normally (adding torrent files/download/seeding/etc). However, I have to disable this setup in order to start Deluge (otherwise it crashes) or to add magnet links via browser (otherwise it ignores the magnet link when clicked / launched from commandline).

I have used a blocklist since 1.3.12 but encountered the startup issue prior to configuring that so I don't believe this is related. I have already tried Preferences > Other > "Associate Magnet Links". This does nothing (as noted magnet links work fine if VPN is disabled and everything but magnet and startup work fine when it is enabled).

I saw similar ticket 2793 but:

a) I am referring to 2 specific cases where existing functionality is breaking / causing a crash whereas 2793 was asking for *new* functionality. 2793 could potentially solve my issue also, but I don't feel these are necessarily asking for the same thing.

and

b) Unless I am misunderstanding, the proposed resolution for 2793 (using the IfaceWatch? plugin) specifically states that it is only a viable option on *LINUX/UNIX* systems and will *NOT* work on Windows.

See http://forum.deluge-torrent.org/viewtopic.php?f=9&t=52739

====================== Issues: ======================

  1. The deluge process crashes/fails to start when Firewall/VPN settings are configured to force traffic through VPN device/adapter/interface (MAC address)
  1. Deluge process ignores attempts to add magnet links / fails to bring up add file dialog / fails to add magnet link when Firewall/VPN settings are configured to force traffic through VPN device/adapter/interface (MAC address)
  1. Preferences > Network has an "Interface" section but the UI/UX does not indicate what format / data should be provided here. Some research online indicates this may be expecting an IP address. I have no idea what actually goes in here, so it would be helpful if this was labelled a little better.... maybe add a line such as "This can be an IP address / Unix adapter name (e.g. 'eth0') / MAC address ", " This is only supported on Mac/Linux? ", etc... For me (Windows 7 x64), I tried MAC address (hyphens and then colons) and IP address of said MAC but neither seemed to fix magnet links. Turning off VPN, they work fine.
  1. If I am correct about what is happening with issues 1 and 2, this could potentially be resulting in a situation where the individual's privacy is compromised (as they have to temporarily disable VPN settings to start the app). Admittedly, if privacy is truly a concern, one should be using something more than just a VPN and maybe even setting the VPN via router rather than via software firewall... but still would be good if the app could safeguard against this where possible.

====================== Steps to confirm: ======================

==Initial Setup==

  1. Setup OpenVPN with VPN provider
  2. Setup Firewall (e.g. Commodo / Windows Firewall / etc)
  3. Using "ipconfig /all" command, get "Physical Address"(aka MAC address) for VPN. For OpenVPN, it will be the "TAP-Windows Adapter" one.
  4. In Firewall, configure to allow Deluge only via this MAC address. In Commodo, this is done by creating a new network zone from with the MAC from step 3. Then creating 3 rules: first allow all incoming IP traffic from MAC, second allow all outgoing IP traffic from MAC, third (must be on bottom) to block all traffic NOT to/from MAC.

Detailed instructions here: https://www.bestvpn.com/blog/10218/build-your-own-vpn-kill-switch-in-windows-comodo/

  1. Disable firewall/VPN rules (temporarily)
  2. Start Deluge (give it a couple minutes to be safe)
  3. Enable firewall/VPN rules
  4. Confirm Deluge works normally for *.torrent files to rule out misconfigured Firewall settings. For example, Project Gutenburg DVD which you can find here:

https://www.gutenberg.org/wiki/Gutenberg:The_CD_and_DVD_Project

  1. Disconnect from VPN and confirm that Deluge stops receiving/transmitting to confirm Firewall/VPN settings are correctly configured.

==Recreating Startup Issue==

  1. Exit (close) Deluge
  2. With Firewall/VPN rules enabled, open task manager (or better yet Process Explorer if you have it)
  3. Confirm Deluge is not running (if it is wait / kill process)
  4. Start Deluge and notice that the process launches, then dies

==Recreating Magnet Link Issue==

  1. Repeat steps 5 through 7 to get Deluge started
  2. Attempt to add a magnet link by clicking on one from your browser or alternately by launching the following from the command line (I'm using the magnet link on the Wiki page... link below):
cd /d "C:\Program Files (x86)\Deluge"
deluge.exe "magnet:?xt=urn:btih:c12fe1c06bba254a9dc9f519b335aa7c1367a88a&dn"

Wiki page for magnet links (smaller alternative to previous Gutenburg page listed earlier): https://en.wikipedia.org/wiki/Magnet_URI_scheme#Technical_description

  1. You will not see anything happen. Checking in Deluge, you will not see any new downloads added.
  2. Manually copying the magnet link and clicking the "+" (Add) button and then entering the magnet link works fine. (Delete this when finished).
  3. Disable Firewall/VPN rules.
  4. Repeat step 15.
  5. You will see that Deluge had automatically brought up the Add dialog and added the magnet link and is waiting for you to click OK to confirm.

====================== Suggestions: ======================

  1. As I said above, a simple label for Preferences > Network > "Interface" would go a long way
  1. Supporting MAC address under Preferences > Network > "Interface" would be really cool, if this is a possibility. I am imagining that there would be some kind of API / lookup that could be done to translate this to an IP address, similar to what we do manually when using "ipconfig /all". I'm not familiar with the code... so I understand if it's more involved; just hopeful. :-)
  1. ??? (not sure what would be involved to make it play nice for startup / magnet links)

====================== Short-term Work-arounds: ======================

Not exactly a pleasant experience, but here is a work-around that *should* do the necessary while still respecting the killswitch (most of the time). However, if you're coming back after an application crash / power outage / etc, then you might not be always be able to pause all the downloads from your previous session and this wouldn't really help in that case.

  1. Pause all downloads before exiting / adding magnet links via browser
  2. disable VPN killswitch
  3. restart / add magnets (if magnets then leave Add dialog up... it can collect multiple)
  4. enable VPN killswitch
  5. if magnets, click OK on Add dialog

Other workarounds (haven't tried yet since they seem like overkill):

  • Move to Linux ? (not always an easy transition)
  • Run Deluge in Linux virtual machine and run VM traffic thru Firewall/VPN ?
  • Move VPN to router (not sure if Netflix/Hulu? users can still use VPN ? some routers maybe cant do VPN?)
  • ???

Change History (3)

comment:1 Changed 20 months ago by eguled

UPDATE:

THIS TICKET CAN BE CLOSED / REJECTED.

This was related to a configuration issue on my end. I apologize for any inconvenience. I will leave the following notes in case it helps anyone else with similar issues.

ROOT CAUSE: On startup, Deluge tries to make an outbound TCP connection from 127.0.01:50574 to 127.0.01:50573. Even though 127.0.0.1 is localhost, it uses a the loopback interface rather than the VPN interface. So if a firewall killswitch doesn't handle that, it will just see "NOT VPN" and block it causing deluge to fail. I suspect that magnet links from the browser are launching a second process, which runs into the same problem [unconfirmed].

FIX:

For Commodo, change the step 4 from the initial setup above to new steps shown below. I have confirmed that this fixes BOTH issues (startup crash and magnetlinks being ignored).

  1. In Firewall, configure to allow Deluge only via this MAC address. In Commodo, this is done by creating a new network zone from with the MAC from step 3. Then creating 4 rules: 4.1. Rule 1 = allow all incoming IP traffic from MAC 4.2. Rule 2 = allow all outgoing IP traffic from MAC

4.3. Rule 3 - allow all In and Out IP traffic from 127.0.0.1 to 127.0.0.1

4.4. Rule 4 - (MUST be on bottom) to block all traffic NOT to/from MAC.

Detailed instructions here: ​https://www.bestvpn.com/blog/10218/build-your-own-vpn-kill-switch-in-windows-comodo/

For Windows Firewall,

I don't really use the built-in firewall so I'm not sure how to add exceptions to the rule. You could create the basic killswitch rules using these instructions: https://practicalrambler.blogspot.com/2011/01/windows-7-firewall-how-to-always-use.html

I'm just guessing, but I think for adding the loopback/localhost exception, you would probably end up creating 2 additional rules something like this:

INBOUND [untested]:

  • program=deluge
  • action=allow the connection
  • profile=check domain + private
  • save rule
  • right-click rule > properties > scope tab
  • for local, choose 'these ip addresses', enter 127.0.0.1
  • for remote, choose 'these ip addresses', enter 127.0.0.1
  • click apply then ok to save

OUTBOUND [untested]:

  • program=deluge
  • action=allow the connection
  • profile=check domain + private
  • save rule
  • right-click rule > properties > scope tab
  • for local, choose 'these ip addresses', enter 127.0.0.1
  • for remote, choose 'these ip addresses', enter 127.0.0.1
  • click apply then ok to save

ANYBODY TRYING THE WINDOWS FIREWALL SETTINGS WOULD OBVIOUSLY NEED TO VERIFY THAT MY GUESSES ACTUALLY WORK BEFORE USING THEM SERIOUSLY.

Last edited 20 months ago by eguled (previous) (diff)

comment:2 Changed 20 months ago by Cas

  • Milestone changed from Future to needs verified
  • Resolution set to Invalid
  • Status changed from new to closed

comment:3 Changed 9 months ago by allenkeith

I think the best VPN for windows https://www.onevpn.com/windows-vpn/ u should try this as I m using it for a few weeks its great with best features.

Note: See TracTickets for help on using tickets.