[Guide] How to configure a Transmission Jail to use WireGuard with Mullvad

[winnielinnie]

Windscribe?

I have no idea at this point. I'm very close to requesting a refund from AzireVPN. (Even their port-forwarding is counter-intuitive and has "gotchas" that they're not very clear about.)

ProtonVPN and IVPN are much more costly. (You need to purchase 1 or 2 years in advance just to compete with Mullvad's one month cost.)

I'm unfamiliar with Windscribe.

Air VPN might be the next best shot within a comparable price point. (I'm eyeing this one if I end up getting a refund for Azire.)

Do you have any personal experience with Windscribe? I've recently learned that no amount of research trumps personal experience. (AzireVPN comes to mind...)

 

[Volts]

Do you have any personal experience with Windscribe?

Not for a very long time. Before Wireguard was a thing.

My impression of them was very good at the time. I think about Windscribe and Mullvad and Proton in the same way - independent and honest within their ability. They're in Canada, if that changes your thinking one way or another.

There's a stickied post on reddit /r/vpn with a matrix of comparisons between providers.

 

[winnielinnie]

Good news and "bad" news.

Good news is I got port-forwarding via AzireVPN to work with qBittorrent in a TrueNAS Core jail.

I created a custom script, since the official Azire support for this feature is in its infancy, which they even admitted to me over a customer support email.

For the record, I really dislike the command-line, and I hate scripting. (Spoiler alert: I suck at it.) But I did this out of frustration and created a fairly intuitive script to manage port-forwarding when there is a lack of a GUI and web browser. (Why is "sh" so convoluted when it comes to variables within "curl" arguments? I want to stuff the quotation and double-quote symbols into a fire pit!)

If this sounds strange, it's because you cannot configure or manage forwarded ports on the AzireVPN dashboard unless you are actively connected via the tunnel while using your web browser. (This rules out a FreeBSD jail outright, so you have to resort to API calls via "curl".) So unlike Mullvad, this feels archaic.

But alas, I created a custom script based on their examples, and I've got everything to work seamlessly (for the most part.) So I'm back to where I was, except this time the VPN provider is different.

Their customer support admitted that this is a new feature and they're going to eventually improve it, and somewhat on another note, they will possibly create a GUI app for desktop Linux.

So the "bad" news is that the user experience and level of cross-platform support feels second-class compared to Mullvad.

I'll see how I feel after 3 months. I'm going to start another thread with the steps I took to get port-forwarding to work with AzireVPN in a qBittorrent TrueNAS Core jail. I just feel a bit tired now. (Like I said, I hate scripting, and when I post my script, please feel free to tell me how crappy it is and write something better.)


EDIT: Leaving Mullvad, you realize how much polish and effort they put into their products and services.

• Wide cross-platform support for their GUI apps
• Local network bypass (you can still access your local network without stopping the VPN)
• Split tunneling
• Highly polished and intuitive web dashboard where you can manage connections (and previously ports), without then need to connect to a specific tunnel
• "Alias" names for your tunnels, such as "Lazy Crocodile", which lets you easily identity connections (rather than resorting to comparing the internal VPN IP addresses
• Granularity for their "wg" interfaces, broken down by country, city, and individual servers (whereas Azire is only city)

I will give Azire one thing over Mullvad: they allow up to 10 WireGuard devices, but only 5 active simultaneous connections. Mullvad was a hard limit of "5 WireGuard devices in total." This means with Azire, you can at least configure beyond 5 devices, and still be able to use your VPN on all of them, so long as you don't have more than 5 devices connected at the same time. Whereas with Mullvad, once you hit 5 devices (at any point), you cannot add another device unless you first remove one.


EDIT 2: You can apparently forward a port longer than 30 days if you specify "0" when configuring one, which supposedly means "no expiration". However, the expiration date is still set to "1 year" for some reason. This isn't a problem at all. You can issue an "update" for the port, which I think just bumps it up another month? Their documentation is not clear on it.


EDIT 3: There's no assurance that AzireVPN won't follow in Mullvad's footsteps by disabling port-forwarding in the future.

 

[winnielinnie]

Well, well, well, lookie here:

Gradual removal of port forwarding from the IVPN service

Protecting the interest of our customers and ensuring the stability of the service have been key principles for IVPN since starting our operations more than ten years ago. To keep delivering on these promises, we have made the decision to gradually phase out the port forwarding feature from the...

www.ivpn.net

Even IVPN is getting rid of port-forwarding.

June 29, 2023 announcement:

Since recent similar changes in the policies of another popular VPN service provider, we have seen a significant influx of new customers, and the risks posed by such activities have grown manyfold. A considerable increase in law enforcement inquiries and erosion of relationship with data centers could threaten our ability to keep serving our customers.

 

[jnk]

I'll see how I feel after 3 months. I'm going to start another thread with the steps I took to get port-forwarding to work with AzireVPN in a qBittorrent TrueNAS Core jail. I just feel a bit tired now. (Like I said, I hate scripting, and when I post my script, please feel free to tell me how crappy it is and write something better.)

Sorry to bother you, but would it be possible to share your steps and / or script? I looked through the forums but could not find the thread you planned on creating; apologies if I failed to notice it if it does exist.

Currently I am still using Mullvad but the port forwarding issue is getting annoying. I assume that in the end the provider is irrelevant and it's the configuration on the system that matters, however network related configuration unfortunately isn't my strong suit so any help in that regard is very welcome.

Thank you very much in advance for any documentation or insights.

 

[winnielinnie]

I had canceled my Azire subscription early on for a full refund. They have terrible tools, lack a real Linux GUI, and their setup I found to be convoluted.

I decided to go with AirVPN instead. (I paid for 3 months.)

They have a legitimate "dashboard" on their website to configure everything. You can easily create custom wireguard configs. Toggle port-forwarding on and off. Easily manage "devices".

The main downside is that they do not have the fastest servers, nor do they have as many different countries available. Their opensource GUI for Windows and Linux ("Eddie") is a bit clunky, although it's still quite usable. It caters towards "power users".

It's been working well for me, and I've been using port-forwarding in my jail with no issues. The raw speeds aren't that big of a deal, since I cap my download/upload limits anyways.

I'm still not sure how the client automatically chooses the "best" server to connect to. The GUI seems to always pick a server with the lowest latency. Unlike Mullvad, there's no way to "randomly connect to a different server". If you click "Connect", it will most likely just use the same server as before, since it has the best "ping" results. (At least Mullvad will randomly "mix it up", which is nice.)

I kind of don't want to promote AirVPN, since the fewer people that use it, the better.

I can still share how everything's setup if you'd like. It's mostly the same procedure as Mullvad, except for the difference in the online dashboard.

Main dashboard, client area

Manage devices

Port-forwarding

 

[Whattteva]

I've been using NordVPN without port forwarding (I know, not ideal). But I had already purchased a 2-year subscription before I figured out that port forwarding is kinda' important for torrents. Is AirVPN better? Why don't you want to promote it? I was looking at ProtonVPN when my subscription for NordVPN ends, but was wondering if you guys think there are better more cost-effective similar solutions which are equivalent to NordVPN (no logs, regular independent audits). I don't particularly care whether it runs Wireguard or OpenVPN as I'm experienced with either of them.

 

[jnk]

I can still share how everything's setup if you'd like. It's mostly the same procedure as Mullvad, except for the difference in the online dashboard.

Thanks for you reply. I somehow convinced myself that I had to jump through some hoops on the client side to get port forwarding working, mainly due to the documentation that ProtonVPN placed on their site (link to instructions). They mention a loop you have to run on the client, but it uses a tool that I believe is restricted to Linux.

Perhaps your AirVPN setup allows for doing this once via a Web UI and not needing to refresh every so often? If so, I may have to look around for such a setup with a provider if I can't figure out how to do the ProtonVPN thing with BSD. I don't really want to sign up for 1-2 years in the hopes that I can figure that out .

 

[winnielinnie]

Is AirVPN better?

I like everything about AirVPN except for:

• Not as many different countries to choose from (compared to other VPN providers)
• Servers aren't the fastest (compared to other VPN providers), and are more susceptible to being overloaded
• The opensource GUI ("Eddie") is bulky and feels like a clunky Java application

Why don't you want to promote it?

The fewer people who use it, the less burden on their servers, which is better for me and existing users.

I was looking at ProtonVPN when my subscription for NordVPN ends, but was wondering if you guys think there are better more cost-effective similar solutions which are equivalent to NordVPN (no logs, regular independent audits).

ProtonVPN requires purchasing a 2-year plan ($120) to get the same rate as purchasing only a 3-month plan from AirVPN ($15). In this case, they both come out to $5/month.

AirVPN let's you purchase a 3-day plan for $2, or a 1-month plan for 7$, if you just want to dip your toes. (You can literally purchase 3 days for $2, and then add another 3 days for an extra 2$.)

* I use $ because I'm lazy and don't feel like converting the currency.

 

[winnielinnie]

Perhaps your AirVPN setup allows for doing this once via a Web UI and not needing to refresh every so often?

Correct. (This assumes they won't "pulled a Mullvad" in the future.) See my above screenshots of the web dashboard when you login to your AirVPN account.

I don't really want to sign up for 1-2 years in the hopes that I can figure that out .

You can drop $2 to purchase 3 days of AirVPN if you want to test it out.

 

[jnk]

Correct. (This assumes they won't "pulled a Mullvad" in the future.) See my above screenshots of the web dashboard when you login to your AirVPN account.



You can drop $2 to purchase 3 days of AirVPN if you want to test it out.

Thanks for confirming . Also, the tool ProtonVPN docs refer to, natpmpc, appears to be part of the libnatpmp package, so I may just take a leap of faith and go with them since their speeds and reputation over here are very good. But I have some mullvad time in my account, so I'll think about it some more.

 

[Whattteva]

I like everything about AirVPN except for:

• Not as many different countries to choose from (compared to other VPN providers)

I suppose I'm okay with this as long as they have maybe at least 1 country from each continent or even just North America, Europe, and Asia.

• Servers aren't the fastest (compared to other VPN providers), and are more susceptible to being overloaded

What is the typical throughput should I expect? My ISP's downstream is only 350 Mbps, so if it is close to that number, I'm perfectly fine with it.

• The opensource GUI ("Eddie") is bulky and feels like a clunky Java application

Do you have to use this or can you just bypass this and connect through the normal OpenVPN/Wireguard protocol?
Oh also, one of the reasons why I love NordVPN is because they have a browser extension so you can use the VPN JUST for the web browser.

The fewer people who use it, the less burden on their servers, which is better for me and existing users.

Haha, this is fair.

ProtonVPN requires purchasing a 2-year plan ($120) to get the same rate as purchasing only a 3-month plan from AirVPN ($15). In this case, they both come out to $5/month.

AirVPN let's you purchase a 3-day plan for $2, or a 1-month plan for 7$, if you just want to dip your toes. (You can literally purchase 3 days for $2, and then add another 3 days for an extra 2$.)

* I use $ because I'm lazy and don't feel like converting the currency.

Oh, I like that 3-day thing for a trial period.

One last question. Do you know if they submit themselves to independent audit every once in a while?

 

[winnielinnie]

I suppose I'm okay with this as long as they have maybe at least 1 country from each continent or even just North America, Europe, and Asia.

They have a total of 252 servers.

• Europe: 159
• Americas: 76
• Asia: 16
• Oceania: 1 (literally just one server in New Zealand)

Almost all of their servers are 2-Gbps (2,000 Mbps). They've hinted that in December of this year or early in 2024, they're going to add some 10-Gbps capable servers.

What is the typical throughput should I expect? My ISP's downstream is only 350 Mbps, so if it is close to that number, I'm perfectly fine with it.

That's hard to answer. It's not really about the "typical speed" nor the capability of the VPN server. The issue is that there's a greater likelihood that the server you're connected to will exceed a sane "load", simply because AirVPN is small compared to the commercialized VPN giants. So when it's fast, it's fast (hitting your ISP limits, or even at least half of it.) But when it's slow, it crawls; and their GUI is not as intelligent as Mullvad's when it comes to "reconnecting". Most of the times when I "reconnect to the best server" it reconnects... to the same exact server. At least Mullvad's GUI "mixes it up".

Do you have to use this or can you just bypass this and connect through the normal OpenVPN/Wireguard protocol?

You don't have to use it, but I prefer to use a VPN provider's software, since it gives you more control and customizations, such as "LAN bypass", whitelists, blacklists, visual overviews, statistics, manually selecting a different server, etc.

AirVPN, like most others, works fine with standard WireGuard and OpenVPN tools. (Obviously, since how else could I use it in a FreeBSD jail under TrueNAS?)

One last question. Do you know if they submit themselves to independent audit every once in a while?

Not that I'm aware of. Make of that what you will.

They assert a "no logs" policy, and you don't even need any personal information to create an account: not even an email address. Everything runs on RAM (nothing is stored to nonvolatile storage).

But of course, that's the equivalent of "trust me bro".

Perhaps they have been audited, though I have not come across that. The company and community is reminiscent of the oldschool "enthusiasts" behind a product and culture, which comes off as more honest and less "commercialized". (Savvy users, homebrew software and tools, features over aesthetics, etc.) They're big into opensource, and have a friendly culture on their website and forums. Their customer service has been receptive and easy to communicate with.



At the end of the day, if it weren't for port-forwarding, I'd be using Mullvad. Period.

I'm also fully aware of the the road heading into the future. Once Mullvad dropped port-forwarding, a deluge of new users signed up for another VPN provider which advertises port-forwarding. Months later, this VPN provider made a public announcement that they are getting rid of port-forwarding because of too many users flooding their servers after this mass migration. This concerns me that the remaining VPN providers that offer port-forwarding (Air, Proton, Azire, etc) are susceptible to the same pressures and could eventually drop support as well.

EDIT: I have to admit that Air's web dashboard is awesome. They present everything to the user, and it's like using a legitimate control panel to manage everything.

 

[Whattteva]

But when it's slow, it crawls; and their GUI is not as intelligent as Mullvad's when it comes to "reconnecting". Most of the times when I "reconnect to the best server" it reconnects... to the same exact server. At least Mullvad's GUI "mixes it up".

Oh man, that sucks indeed. Why the hell would I want to reconnect to the same server back to back?

You don't have to use it, but I prefer to use a VPN provider's software, since it gives you more control and customizations, such as "LAN bypass", whitelists, blacklists, visual overviews, statistics, manually selecting a different server, etc.

Makes sense. That's in fact why I use the NordVPN browser extension.

Perhaps they have been audited, though I have not come across that. The company and community is reminiscent of the oldschool "enthusiasts" behind a product and culture, which comes off as more honest and less "commercialized". (Savvy users, homebrew software and tools, features over aesthetics, etc.) They're big into opensource, and have a friendly culture on their website and forums. Their customer service has been receptive and easy to communicate with.

Sounds good enough for me.

At the end of the day, if it weren't for port-forwarding, I'd be using Mullvad. Period.

I'm also fully aware of the the road heading into the future. Once Mullvad dropped port-forwarding, a deluge of new users signed up for another VPN provider which advertises port-forwarding. Months later, this VPN provider made a public announcement that they are getting rid of port-forwarding because of too many users flooding their servers after this mass migration. This concerns me that the remaining VPN provides that offer port-forwarding (Air, Proton, Azire, etc) are susceptible to the same pressures and could eventually drop support as well.

EDIT: I have to admit that Air's web dashboard is awesome. They present everything to the user, and it's like using a legitimate control panel to manage everything.

Yeah, this part sucks. honestly, I've been very happy with NordVPN. They're fast, lots of servers, good software, fairly reasonable pricing (if you haggle with customer support), no logs, regular independent audits, based in Panama. But the lack of port forwarding is a big deal breaker.

 

[jnk]

I decided to take the plunge and get ProtonVPN for two years. If I couldn't get it up and running to my liking I could get a refund within 30 days anyway and I'd rather take a long subscription than having to renew every so often.

Things are working perfectly; speeds are nice and the port forwarding is also working with auto-renew via a cron job. Now my only remaining issue is that when the port changes, which could happen when my connection dies for whatever reason, I have to manually restart rTorrent since I can't find a way of updating the port while rTorrent is running or restart it easily since it launches as a curses interface. So for now I have a telegram bot sending me a message whenever the port changes, which hopefully will suffice.

 

[ilikenwf]

Thanks for the guides, I'm using this setup with OVPN.com, and the only downside compared to my old Linux box setup is that if I enable port forwarding, that not only does it not work using the transmission check URL with curl, but that with a setup as below, the private wireguard ip address is attempting to reach out, for some reason, to the Wireguard server, using that port that is configured for forwarding if I have both TCP/UDP forwarding for the port setup on the OVPN.com site.

I've done everything I could think of and it feels like either some kind of routing table issue, though mine look good, or something with OVPN themselves, but since it was (I think) working properly on the Linux based setup, I'm leaning toward a config issue somewhere?

Let's say lan is 10.0.0.12
wg0 is 172.0.0.16 or whatever
wireguard server remote is x.x.x.x

I'm connected, can download, check my IP, everything. Check for the open port: no good. Every few milliseconds, though, my opnsense firewall logs enteries showing 172.0.0.16 from the port configured for forwarding trying to reach out to x.x.x.x the wireguard server...which makes no sense...it shouldn't be exposing that traffic at all to the real LAN, and likewise shouldn't be attempting to route traffic to itself, over itself...

 

[ilikenwf]

I should also mention that this still happens from time to time with ICMP packets, from the private wg0 ip trying to ping the wireguard public IP...which makes no sense.