Solved Which torrent client would be right for the task

SDK Chan

SDK Chan

I preferably want a torrent client which works in the command line interface.
To avoid IP leaks I would like to bind by interface or bind by IP address.
I am always running wire guard to connect myself to VPN servers (creating an interface).

I read for example that transmission-cli cannot bind by interface, but qBittorrent can, and qBittorrent is the more preferred one?

So, I would like to know which torrent client would be optimal to use in FreeBSD.
Are there eventually more methods to avoid an IP leak while torrenting ?
 
It sounds like it'd be better to have something OS-side bind applications to network interfaces, instead of the app itself handling it? I'd feel more confident in having an OS firewall limit communications over all network interfaces except a specific one.

This sounds similar to kill-switch behavior and searching that might come up with other solutions.
 
SDK Chan said:
I read for example that transmission-cli cannot bind by interface
Click to expand...
The transmission-cli connects and controls the daemon, it's the daemon that does the actual downloading/uploading. It is a client that manages the server part. It doesn't need to be bound to an interface and/or IP address.
 
create a split vpn split route with setfib

then you can send any command line or gui application over the vpn
by prefixing the command with setfib 1

Code: 
setfib 1 transmission-gtk

you can even add the command to a desktop entry
so you can open applications in the vpn namespace using your application launcher


add a second routing table with fibs

Code: 
sudo vi /boot/loader.conf

Code: 
net.fibs=2

cant remember if this is needed,
add default route to gateway for second routing table

Code: 
sudo setfib 1 route add default 192.168.1.1

github.com

freebsd-bin-xps/vpn-split-route at master · NapoleonWils0n/freebsd-bin-xps

freebsd-bin-xps. Contribute to NapoleonWils0n/freebsd-bin-xps development by creating an account on GitHub.
github.com github.com

github.com

freebsd-bin-xps/updown-vpn at master · NapoleonWils0n/freebsd-bin-xps

freebsd-bin-xps. Contribute to NapoleonWils0n/freebsd-bin-xps development by creating an account on GitHub.
github.com github.com

Code: 
[Desktop Entry]
Name=vpn-Transmission
GenericName=BitTorrent Client
Comment=Download and share files over BitTorrent
Keywords=torrents;downloading;uploading;share;sharing;
Exec=sh -c 'setfib 1 transmission-gtk %U'
Icon=transmission
Terminal=false
TryExec=transmission-gtk
Type=Application
StartupNotify=true
MimeType=application/x-bittorrent;x-scheme-handler/magnet;
Categories=Network;FileTransfer;P2P;GTK;
X-Ubuntu-Gettext-Domain=transmission
X-AppInstall-Keywords=torrent
Actions=Pause;Minimize;

[Desktop Action Pause]
Name=Start Transmission with All Torrents Paused
Exec=setfib 1 transmission-gtk --paused

[Desktop Action Minimize]
Name=Start Transmission Minimized
Exec=setfib 1 transmission-gtk --minimized
 
Espionage724 said:
This sounds similar to kill-switch behavior and searching that might come up with other solutions.
Click to expand...
Actually I thought about to implement a kill-switch as a solution.
On librewolf I have something of similar behaviour.
A proxy extension called Mullvad Proxy.
If I am not wrong it acts as a kill-switch if the wg-interface lose connection to the VPN server.
I tried it out, while being connected to the proxy, and turning of the wg-interface.
The browser responded with a time-out while trying to connect to a web page.

Espionage724 said:
I'd feel more confident in having an OS firewall limit communications over all network interfaces except a specific one.
Click to expand...
As a firewall I am using an IPFW2 one.
It is actually the "workstation" profile FreeBSD provides.
Code: 
Input:
# ipfw list

Output:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800 allow udp from any 67 to me 68 in
01900 allow udp from any 67 to 255.255.255.255 68 in
02000 allow udp from fe80::/10 to me 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any icmp6types 3
65000 count ip from any to any
65100 deny { tcp or udp } from any to any 135-139,445 in
65200 deny { tcp or udp } from any to any 1026,1027 in
65300 deny { tcp or udp } from any to any 1433,1434 in
65400 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any 520 in
65500 deny tcp from any 80,443 to any 1024-65535 in
65500 deny log logamount 500 ip from any to any
65535 deny ip from any to any

My interface through which all traffic usually goes is:
Code: 
Input:
ifconfig | grep wg

Output:
xy-xyz-wg-NNN

Looking at the firewall rules they seem ok, but I wonder how or where I could implement the kill-switch rule.
Let us assume that I have the following inet addresses available on my wg-interface:
-> inet v4: 13.88.01.120
-> inet v6: ac00:abcd:bcad:ab30:ac01::1:3add prefixlen 130
I basically have in mind to do something like that:
Code: 
---- I do not thing I should change that part
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
--- END of the part I should not change

--- I thought about to start to edit from here.
00550 deny ip from any to any via ue0 (To get the actual kill-switch behaviour either here or at the end)

--- And add a via wg interface add the end of almost each line starting from here if still needed.
00600 allow ipv6-icmp from :: to ff02::/16 via my-wg-interface
00700 allow ipv6-icmp from fe80::/10 to fe80::/10 via ...
00800 allow ipv6-icmp from fe80::/10 to ff02::/16 via ...
00900 allow ipv6-icmp from any to any icmp6types 1 via ...
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established via ...
01300 allow tcp from me to any setup keep-state :default via ...
01400 allow udp from me to any keep-state :default via ...
01500 allow icmp from me to any keep-state :default via ...
01600 allow ipv6-icmp from me to any keep-state :default via ...
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out via ...
01800 allow udp from any 67 to me 68 in via ...
01900 allow udp from any 67 to 255.255.255.255 68 in via ...
02000 allow udp from fe80::/10 to me 546 in via...
02100 allow icmp from any to any icmptypes 8 via ...
02200 allow ipv6-icmp from any to any icmp6types 128,129 via ...
02300 allow icmp from any to any icmptypes 3,4,11 via ...
02400 allow ipv6-icmp from any to any icmp6types 3 via...
--- END of editing

65000 count ip from any to any
65100 deny { tcp or udp } from any to any 135-139,445 in
65200 deny { tcp or udp } from any to any 1026,1027 in
65300 deny { tcp or udp } from any to any 1433,1434 in
65400 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any 520 in
65500 deny tcp from any 80,443 to any 1024-65535 in
65500 deny log logamount 500 ip from any to any
65535 deny ip from any to any via ue0 (To get the actual kill-switch behaviour)

Now the problem would be, my interface name changes all the time, because I am connecting to a new interface each day.
Eventually modyfing just rule number 65535 to deny any in and outgoing connections through ue0 would be the solution here, or deny any in and outgoing connections through ue0 at the beginning.
As I understand deny ip from any to any includes ipv4 and ipv6 addresses, right ?

Another solution would be to add something like that to the wg-config files implementing a kill-switch behaviour per file.
Code: 
PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Firewall Builder in this case does not work as intended.
Someone said on the internet that there are pf iptables for FreeBSD ?
I have not found anything, though.

I looked up the man-page from rtorrent.
It can do something simple as rtorrent bind -b 13.88.01.120 my-torrent-file

I agree with you though, a kill-switch behavior would be the all-in-one solution.
Or even better just disallow all in and outgoing connections throug ue, and only allow them through wg.
That would be a global kill-switch I guess since nothing would work anymore through ue0.
 
You must log in or register to reply here.
Back
Top