Transmission, ports and VPN

[jonny_noog]

Hello,

I'm trying to set up Transmission (version 2.84) to route through my VPN connection. My ideal set up would be to have Transmission going through the VPN and other traffic going through my normal WAN connection. I'd preferably like to accomplish this at my router as opposed to at the local machine where the Transmission client is running and I believe this would mean that I would need to direct traffic based on port numbers using iptables.

Please forgive my lack of BitTorrent understanding, but I gather that aside from the listening port that one can see in the Transmission client (default 51413), a large port range separate to 51413 is also used for actual data transfers. So my questions are: can anyone give me a full list of all ports that will potentially be used by Transmission on OS X (10.9.4)? Is there a way to limit the port range used? And can anyone give me some insight as to whether I should be looking at targeting said ports as source and/or destination ports in my iptables rules?

[jonny_noog]

Thanks for taking the time to reply. So I take it there's no way to limit that range to any degree?

[jonny_noog]

OK thanks again. Will see how I go.

[NoMoreNicksLeft]

I've had some initial luck doing this. I have a DD-WRT router, and I set up OpenVPN from the web gui.

The first thing that was obvious was that OpenVPN's default configuration is screwy. You'll need to add "route-nopull" to it. This will allow the VPN to start without it borking up the routing table big time.

The second thing you'll need to do is add some routing rules for the bittorrent traffic. I have the following:

Code: Select all

VPNGW=`ifconfig tun1 | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1`
ip route replace default via $VPNGW dev tun1 table 100
ip rule add fwmark 7 table 100

This could go into the bash script that openvpn runs at startup (I'm still doing it manually while I tweak the details). Your VPN interface might not be tun1, change that if needed. The rest can stay the same.

Then, we need to mark the outgoing packets that look like bittorrent. I know everyone says that bt is 6881-6890, but it looks like when a peer connects to you he's using that as a source port and uses 51413 as the destination port. So I've got this:

Code: Select all

# mark bittorrent packets
iptables -t mangle -I PREROUTING -i br0 -p udp --sport 51413  -j MARK --set-mark 7
iptables -t mangle -I PREROUTING -i br0 -p tcp --sport 51413  -j MARK --set-mark 7

# allow responses
iptables -A INPUT -i tun1 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# bittorrent
iptables -A INPUT -i tun1 -p udp --dport 51413 -j ACCEPT
iptables -A INPUT -i tun1 -p tcp --dport 51413 -j ACCEPT

# block everything incoming on vpn
iptables -A INPUT -i tun1 -j REJECT

# masquerading
iptables -t nat -I POSTROUTING -o tun1 -j MASQUERADE

This seems to *mostly* work. When a torrent starts, you'll see a ton of traffic screaming through tun1, and very little traffic on the wan interface. But some still leaks, and I haven't figured that out yet.

If you or anyone else is trying to accomplish the same, I could use some help. The VPN I'm using is adequate for torrents, but if I force all my traffic through it like they recommend the internet's unusable for the entire household.