Setting up Deluge with VPN

  1. Linux
    1. Route all traffic from a specific user
  2. FreeBSD
    1. Multiple routing tables
  3. Handling IP changes on VPN interface
  4. Windows 10
    1. Route traffic of specific programs
    2. Route traffic through TUN via program options
    3. Group Policy

There are two basic options when using VPN.

  1. Use the VPN as the primary connection with default routing passing through the VPN. This way all the traffic from the host uses the VPN.
  2. Use the VPN connection only for specific traffic. All network traffic passes through the default interface except for the traffic you specifically want to route through the VPN interface.

Routing only specific traffic through the VPN interface can be useful, but is also the most tricky to configure.


Directing only some traffic through the VPN interface can be achieved using iptables. There are two different solutions:

  1. Route all traffic from a specific user (i.e. traffic from all processes owned by a specific user) through the VPN interface.
  2. Route all traffic that matches specific ports or protocols

Route all traffic from a specific user

By marking all packets produced by processes owned by a specific user, it is not necessary to add filters on the type of traffic that should be routed.

Scripts for a basic setup can be found at the deluge-vpn repo.


Multiple routing tables

FreeBSD supports multiple routing tables in the kernel, which enables a process to be started with a custom default routing table. This requires recompiling the kernel with this option enabled (See this blog post for details).

With an alternate routing table already set up (on -1) you can start Deluge daemon with:

 $ setfib -1 /path/to/deluged -l /var/log/deluged/deluged.log  -L info -i <insert-VPN-IP>

Using openvpn you can set up the alternate routing table automatically:

  1. Create /usr/local/etc/openvpn/ with the following content:
    IP=`/sbin/ifconfig $1 | grep "inet " | cut -d" " -f4`
    /usr/sbin/setfib -1 /sbin/route add default $IP
  1. Add the following line to the vpn config file
    up "/usr/local/etc/openvpn/ tun0"
    where tun0 is the VPN interface.

When starting openvpn the alternate routing table should be set up

$ /usr/local/etc/rc.d/openvpn start

To test that it works, you can use traceroute:

$ setfib -1 traceroute

Handling IP changes on VPN interface

Whenever the IP on the VPN interface changes (for whatever reason), it is necessary to update the routing table with the new IP. However, if deluge is setup to listen on a specific IP, it is also necessary to update deluge with the new IP. Instead of manually setting the new IP in the preferences, the plugin IfaceWatch can be used to do this automatically based on the network interface name.

Windows 10

  1. few openvpn clients can
  2. bind to interface address
  3. PRO and Enterprise versions

Route traffic of specific programs

The least traumatic [lazy] way to achieve Split Tunneling is a branded OpenVPN client of a Tier1 paid provider. By my estimates fewer than 10% offer this feature reliably.

Route traffic through TUN via program options

Alternatively use the Deluge UI: options, network, address. Find the [non routable] address of the TUN adapter to enter there. It seems to accept wildcard character asterisk in lieu of a number for octet, i.e., 10.*.*.*

Group Policy

Local Computer Policy -> Computer Configuration -> Windows Settings -> Policy-Based QoS

You can set Unique DSCP marks on a Per-User, Per-Application, Per-Source, Per-Destination or Per-Protocol | Port basis. These DSCP marks [can be specified in Deluge preferences: network: TOS].

Last modified 3 years ago Last modified on 01/14/2020 04:38:49 PM