How to only allow vpn connection for transmission

[Supersonical]

Hey!

Sorry, I´m a total noob when it comes to freenas and all functions around it!

But here goes my quesstion, I have successfully setup transmission with OpenVPN and it´s working great. But since I cannot trust that my VPN provider will always have a stable connection i would like that my jails firewall only allows connection out via the VPN provider and nothign els. I have followed "jerrybme" awseme guide but it requires me to know my providers ip range to work. My provider doesn´t share their IP range due to security reasons. So the question is what kind of options do i have, if their is any.

Link to the guide i have used to setup my transmission.
https://forums.freenas.org/index.ph...-a-jail-so-it-only-connects-to-the-vpn.18669/

 

[dlavigne]

Were you able to find an answer for this?

 

[Supersonical]

Were you able to find an answer for this?

Nope, not yet. I´m doing manueal checkups every day to see if the vpn is running. Which is absolutly not the most secure way fo doing it. If my VPN goes down I´ll be totally visable :(

I hope somebody out their has the same problem and has found a solution for this :)

 

[Tom_]

What about using ipfw to restrict all traffic to the tun/tap interface?

 

[Supersonical]

What about using ipfw to restrict all traffic to the tun/tap interface?

that was exactly what i was thinking but i dont know how to setup the ipfw to do that, i´m at work now. Will post my ipfw file when i get home. Maybe you can help me/us. :)

Another qustion is, if that´s possible to do why isn´t that the general practise. I mean why go the length and digg upp VPN providers ip range etc.

hmm when i think about it, if the tun/tap link is down, is it even possible to connact to the vpn provider?

 

[Tom_]

I can try to help, but I'm not a networking or security expert so don't blame me if the FBI (or even worse, GEMA) knocks on your door.

I guess setting up the tun/tap interface is done by root. If you run transmission as a different user (e.g. 'media') you can filter traffic based on the uid. You could try something like:

Code:

ipfw add 00010 allow ip from any to any via tap0
ipfw add 00200 deny ip from any to any uid media
ipfw add 65534 allow all from any to any

I think this would pass transmission traffic on the vpn with rule 00010 and block all other traffic from the 'media' user with 00200. You would have to add some other rules to take care of traffic between the jail and the rest of your LAN (e.g. the transmission web interface). That could be something like:

Code:

ipfw add 00101 allow ip from me to 192.168.1.0/24 via epairn uid media
ipfw add 00102 allow ip from192.168.1.0/24 to me via epairn uid media

where n is the normal (not openvpn) interface and you change 192.168.1.0 for your actual LAN address. These rules would go before 00200 of course.

Once you have it set up you can start some legal torrents and then disconnect the vpn to see if they continue downloading.

 

[Supersonical]

Hi Tom,

This looks really good, I´ll try that right away and post back the results!

Thanks :)

 

[TeChn4K]

Any updates @Supersonical ?
I'm interested in the same setup :)

 

[Mirfster]

Nope, not yet. I´m doing manueal checkups every day to see if the vpn is running. Which is absolutly not the most secure way fo doing it. If my VPN goes down I´ll be totally visable :(

Not sure about this... If the VPN Provider goes down, then how is it you think someone will be able to VPN in?