Setting up Deluge with VPN
There are two basic options when using VPN.
- Use the VPN as the primary connection with default routing passing through the VPN. This way all the traffic from the host uses the VPN.
- Use the VPN connection only for specific traffic. All network traffic passes through the default interface except for the traffic you specifically want to route through the VPN interface.
Routing only specific traffic through the VPN interface can be useful, but is also the most tricky to configure.
Linux
Directing only some traffic through the VPN interface can be achieved using iptables. There are two different solutions:
- Route all traffic from a specific user (i.e. traffic from all processes owned by a specific user) through the VPN interface.
- Route all traffic that matches specific ports or protocols
Route all traffic from a specific user
By marking all packets produced by processes owned by a specific user, it is not necessary to add filters on the type of traffic that should be routed.
Scripts for a basic setup can be found at the deluge-vpn repo.
FreeBSD
Multiple routing tables
FreeBSD supports multiple routing tables in the kernel, which enables a process to be started with a custom default routing table. This requires recompiling the kernel with this option enabled (See this blog post for details).
With an alternate routing table already set up (on -1) you can start Deluge daemon with:
$ setfib -1 /path/to/deluged -l /var/log/deluged/deluged.log -L info -i <insert-VPN-IP>
Using openvpn you can set up the alternate routing table automatically:
- Create /usr/local/etc/openvpn/link-up.sh with the following content:
#!/bin/sh IP=`/sbin/ifconfig $1 | grep "inet " | cut -d" " -f4` echo "LINK-UP - SETTING AS DEFAULT GATEWAY FOR ROUTING TABLE 1: $IP" /usr/sbin/setfib -1 /sbin/route add default $IP
- Add the following line to the vpn config file
up "/usr/local/etc/openvpn/link-up.sh tun0"
where tun0 is the VPN interface.
When starting openvpn the alternate routing table should be set up
$ /usr/local/etc/rc.d/openvpn start
To test that it works, you can use traceroute:
$ setfib -1 traceroute www.google.com
Handling IP changes on VPN interface
Whenever the IP on the VPN interface changes (for whatever reason), it is necessary to update the routing table with the new IP. However, if deluge is setup to listen on a specific IP, it is also necessary to update deluge with the new IP. Instead of manually setting the new IP in the preferences, the plugin IfaceWatch can be used to do this automatically based on the network interface name.
Windows 10
- few openvpn clients can
- bind to interface address
- PRO and Enterprise versions
Route traffic of specific programs
The least traumatic [lazy] way to achieve Split Tunneling is a branded OpenVPN client of a Tier1 paid provider. By my estimates fewer than 10% offer this feature reliably.
Route traffic through TUN via program options
Alternatively use the Deluge UI: options, network, address. Find the [non routable] address of the TUN adapter to enter there. It seems to accept wildcard character asterisk in lieu of a number for octet, i.e., 10.*.*.*
Group Policy
https://www.reddit.com/r/HomeNetworking/comments/6wykcf/openvpn_split_tunnel_on_windows/dmc94ze/
Local Computer Policy -> Computer Configuration -> Windows Settings -> Policy-Based QoS
You can set Unique DSCP marks on a Per-User, Per-Application, Per-Source, Per-Destination or Per-Protocol | Port basis. These DSCP marks [can be specified in Deluge preferences: network: TOS].