What's new

Tutorial [SOLUTION] OpenVPN Client Split Tunnel for BitTorrent Traffic

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

garycnew

Senior Member
[SOLUTION] OpenVPN Client Split Tunnel for BitTorrent Traffic Requirements/Assumptions:

1. An Asuswrt-Merlin Compatible Router (i.e., Asus RT-AC66U)
2. Asuswrt-Merlin Compatible Firmware (i.e., 384.19)
3. Established OpenVPN Client Connection (Force Internet traffic through tunnel: Policy Rules)
4. Accessible /jffs/scripts/nat-start file
5. A BitTorrent Client with the ability to configure the Listening "Incoming" Port (11111) and the "Outgoing" Port Range (i.e., net.outgoing_port 10000 and net.outgoing_max_port 10999)

I have an OpenVPN Client Tunnel successfully connected to a VPN Service and is routing a Source Address correctly through the VPN Tunnel. However, I'd like to be able to route all BitTorrent traffic from any Client Machine, on my Home Network, through the successfully established VPN Tunnel without having to specify the Source Address/Network.

I've done quite a bit of research and found the Asuswrt Merlin wiki article on Policy based Port routing (manual method). The article seems straightforward and I'm in the process of attempting to create a nat-start config file.

Prior to creating the nat-start config file, I've attempted to identify the Connection Flow between the Client, Router, and BitTorrent Peers & Trackers as shown, below.

"Widely Known BitTorrent Ports:"
TCP 6881-6889: BitTorrent Traffic (Confirmed) UDP 6881-6889: BitTorrent Traffic (Confirmed) TCP 6969: BitTorrent Tracker Port (Confirmed) TCP 1337: BitTorrent Tracker Port (Confirmed)

My Network's Public Gateway Address (WhatsMyIP.org):
38.70.255.168 (Confirmed)

My Client Machine's BitTorrent Connections (Sample):
TCP 192.168.0.154:10077 71.12.1.151:45500 TCP 192.168.0.154:10042 223.189.187.135:38224 TCP 0.0.0.0:11111 0.0.0.0:0 LISTENING TCP 192.168.0.154:10023 38.70.255.168:11111 TCP [::]:11111 [::]:0 LISTENING UDP 0.0.0.0:11111 *:* UDP [::]:11111 *:*

My Router's UPNP, NAT-PMP and PCP Forwards:
Proto Port Redirect to Local Port Time left Description TCP 11111 192.168.0.154 11111 0h 29m 33s NAT-PMP 11111 tcp (Confirmed) UDP 11111 192.168.0.154 11111 0h 29m 33s NAT-PMP 11111 udp (Confirmed)

My Router's BitTorrent Connections (Sample):
Proto NAT Address NAT Port Destination IP Port tcp 192.168.0.154 10038 38.70.255.168 11111 tcp 192.168.0.154 10086 187.183.41.181 32212 tcp 192.168.0.154 10092 174.221.9.209 41435 tcp 192.168.0.154 10067 49.145.7.67 11276 tcp 192.168.0.154 10069 89.36.224.252 24874 tcp 192.168.0.154 10091 173.172.5.27 35790 tcp 192.168.0.154 10092 43.245.86.12 43341 tcp 192.168.0.154 10047 71.12.1.151 45500 tcp 192.168.0.154 10042 223.189.187.135 38224

udp 192.168.0.154 11111 93.158.213.92 1337 udp 192.168.0.154 11111 169.60.48.8 6881 udp 192.168.0.154 11111 52.9.197.152 6881 udp 192.168.0.154 11111 75.70.212.97 6881 udp 192.168.0.154 11111 207.244.249.190 6882 udp 192.168.0.154 11111 192.241.151.29 6882 udp 192.168.0.154 11111 49.12.86.202 6882 udp 192.168.0.154 11111 5.206.38.65 6969 udp 192.168.0.154 11111 31.14.40.30 6969 udp 192.168.0.154 11111 184.105.151.164 6969

udp 192.168.0.154 11111 180.122.153.63 51413 udp 192.168.0.154 11111 180.64.247.134 44659 udp 192.168.0.154 11111 101.235.45.219 49874 udp 192.168.0.154 11111 188.26.205.77 38168 udp 192.168.0.154 11111 146.120.18.242 56664 udp 192.168.0.154 11111 71.12.1.151 45500 udp 192.168.0.154 11111 223.189.187.135 38224

Client => Router Connection Flow (Sample):
(Client) TCP 192.168.0.154:10077 71.12.1.151:45500 (Router) tcp 192.168.0.154 10047 71.12.1.151 45500 (Router) udp 192.168.0.154 11111 71.12.1.151 45500

(Client) TCP 192.168.0.154:10042 223.189.187.135:38224 (Router) tcp 192.168.0.154 10042 223.189.187.135 38224 (Router) udp 192.168.0.154 11111 223.189.187.135 38224

As you can see, in addition to the "Widely Known BitTorrent Ports" each BitTorrent Peer listens and communicates on a random high port. This is the reason you need a BitTorrent Client with the ability to configure the Listening "Incoming" Port (11111) and the "Outgoing" Port Range (i.e., net.outgoing_port 10000 and net.outgoing_max_port 10999).

Here is my successfully working nat-start script:

Code:
# vi /jffs/scripts/nat-start
#!/bin/sh

sleep 10  # During the boot process nat-start may run multiple times so this is required

# Ensure Duplicate Rules are not Created
for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999$VPN_ID  2>/dev/null
   done

# Create RPDB Rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark

# Mark Inbound BitTorrent Packets from OpenVPN Server to WAN
iptables -t mangle -I POSTROUTING -o br0 -p udp -m multiport --dport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -I POSTROUTING -o br0 -p tcp -m multiport --dport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -I POSTROUTING -o br0 -p udp -m multiport --dport 10000:10999 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -I POSTROUTING -o br0 -p tcp -m multiport --dport 10000:10999 -j MARK --set-mark 0x8000/0x8000

if nvram get vpn_client1_state | grep 0 || nvram get vpn_client1_state | grep 1; then
   # Mark Outbound BitTorrent Packets from WAN to OpenVPN Client 2
   iptables -t mangle -I PREROUTING -i br0 -p udp -m multiport --sport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x2000/0x2000
   iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --sport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x2000/0x2000
   iptables -t mangle -I PREROUTING -i br0 -p udp -m multiport --sport 10000:10999 -j MARK --set-mark 0x2000/0x2000
   iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --sport 10000:10999 -j MARK --set-mark 0x2000/0x2000
else
   # Mark Outbound BitTorrent Packets from WAN to OpenVPN Client 1
   iptables -t mangle -I PREROUTING -i br0 -p udp -m multiport --sport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x1000/0x1000
   iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --sport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x1000/0x1000
   iptables -t mangle -I PREROUTING -i br0 -p udp -m multiport --sport 10000:10999 -j MARK --set-mark 0x1000/0x1000
   iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --sport 10000:10999 -j MARK --set-mark 0x1000/0x1000
fi

# BitTorrent "KillSwitch" - Drop Inbound/Outbound Packets When VPN Client is Down
iptables -A INPUT -p udp -m multiport --sport 11111,22222,33333,44444,55555 -j DROP
iptables -A INPUT -p tcp -m multiport --sport 11111,22222,33333,44444,55555 -j DROP
iptables -A INPUT -p udp -m multiport --sport 10000:10999 -j DROP
iptables -A INPUT -p tcp -m multiport --sport 10000:10999 -j DROP
iptables -A OUTPUT -p udp -m multiport --dport 11111,22222,33333,44444,55555 -j DROP
iptables -A OUTPUT -p tcp -m multiport --dport 11111,22222,33333,44444,55555 -j DROP
iptables -A OUTPUT -p udp -m multiport --dport 10000:10999 -j DROP
iptables -A OUTPUT -p tcp -m multiport --dport 10000:10999 -j DROP

# Drop Packets Initiated from OpenVPN Servers (Asuswrt-Merlin Auto-Generated)
#iptables -A OVPN -i tun11 -j DROP
#iptables -A OVPN -i tun12 -j DROP
#iptables -A OVPN -i tun13 -j DROP
#iptables -A OVPN -i tun14 -j DROP
#iptables -A OVPN -i tun15 -j DROP

# Masquerad Packets from WAN to OpenVPN Clients (Asuswrt-Merlin Auto-Generated)
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun11 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun12 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun13 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun14 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun15 -j MASQUERADE

# BONUS:  Mark https://z1.fm Packets for OpenVPN Client 2
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 104.27.160.206 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 104.27.160.206:443 -m mark --mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 104.27.161.206 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 104.27.161.206:443 -m mark --mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 104.31.86.209 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 104.31.86.209:443 -m mark --mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 104.31.87.209 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 104.31.87.209:443 -m mark --mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 172.67.168.48 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 172.67.168.48:443 -m mark --mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 172.67.169.86 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 172.67.169.86:443 -m mark --mark 0x2000/0x2000

Your comments related to implementation, testing, and improvements are appreciated.

Kind Regards,


Gary
 
Last edited:
@SomeWhereOverTheRainBow Does this solution warrant "Tutorial" status similar to my Reverse Proxy solution? Much Appreciated.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top