I have a StrongSwan IPSEC VPN configured on my Ubuntu 22.04.4 LTS server. The VPN starts up and connects to the primary interface (eno1) successfully.
Using qBittorrent, I bind to the IP Address that is assigned to the VPN connection so that torrent traffic is directed through the VPN. (I don't send any other network traffic through the VPN.) This works successfully so that if the VPN drops, the torrent traffic is halted.
The issue is that upon reconnection, I may get assigned a different IP address by the VPN. And so the torrent traffic never resumes.
I was hoping to solve this by setting up a tun interface (tun0) and having the VPN connect directly to that interface. Then I could have qBittorrent always stay connected to the tun0 interface rather than a specific IP address.
But I can't get data to flow through the VPN connected to the tun0 interface. Any assistance would be appreciated.
Here's what I have so far:
sudo tunctl -t tun0 # create tun0 interface
sudo ip link set tun0 up # enable tun0 interface
Edit /etc/strongswan.d/vtun.conf:
charon {
install_routes = no
install_virtual_ip_on = tun0 # Connect VPN to tun0 interface
if_id_in = 1
if_id_out = 1
remote_ts = 10.128.0.0/16
}
Restart VPN:
sudo ipsec down vpn-ca-torrent # shut down VPN
sudo ipsec restart # restart ipsec
sudo ipsec up vpn-ca-torrent # start VPN
VPN is now connected to tun0:
> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 98:90:96:c0:1b:8c brd ff:ff:ff:ff:ff:ff
altname enp0s25
inet 192.168.0.5/24 metric 100 brd 192.168.0.255 scope global dynamic eno1
valid_lft 84935sec preferred_lft 84935sec
inet6 fe80::9a90:96ff:fec0:1b8c/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 8a:2d:38:87:5d:5c brd ff:ff:ff:ff:ff:ff
inet 10.128.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
I now connect qBittorrent to the tun0 interface, but no data flows.
Here is additional information:
> sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
> cat /etc/ipsec.conf
conn vpn-ca-torrent
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
[email protected]
leftauth=eap-mschapv2
left=%defaultroute
leftsourceip=%config
right=ca-tr.vpnunlimitedapp.com
rightauth=pubkey
rightsubnet=0.0.0.0/0
rightid=ironnodes.com
type=tunnel
auto=add
leftupdown=/usr/lib/ipsec/_updown
> ip r
default via 192.168.0.1 dev eno1 proto dhcp src 192.168.0.5 metric 100
192.168.0.0/24 dev eno1 proto static
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.5 metric 100
192.168.0.1 dev eno1 proto dhcp scope link src 192.168.0.5 metric 100
> resolvectl
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (eno1)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
DNS Servers: 192.168.0.1
Link 3 (tun0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
UPDATE:
I've added the changes as suggested:
/etc/strongswan.d/vtun.conf:
charon {
install_routes = no
install_virtual_ip_on = tun0
if_id_in = 1
if_id_out = 1
remote_ts = 10.128.0.0/16
leftfirewall=yes
leftsourceip=%config
leftsubnet=10.128.0.2/32
rightsubnet=10.128.0.0/16
}
Once the vpn comes up and attaches to the tun0 interface I add a route to the assigned IP:
sudo ip route add 10.128.0.0/16 dev tun0 via 10.128.0.XX
I can ping the remote ip at 10.128.0.XX, but qBittorrent still cannot send traffic over it.
When I look through the charon logs, I see these errors:
11[IKE] scheduling reauthentication in 9950s
11[IKE] maximum IKE_SA lifetime 10490s
11[IKE] adding DNS server failed
11[IKE] adding DNS server failed
11[CFG] handling INTERNAL_IP4_DNS attribute failed
11[IKE] installing new virtual IP 10.128.0.2
11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
11[IKE] CHILD_SA vpn-ca-torrent{3} established with SPIs ca04de43_i ce23bdaf_o and TS 10.128.0.2/32 === 0.0.0.0/0
ip r:
default via 192.168.0.1 dev eno1 proto dhcp src 192.168.0.5 metric 100
10.128.0.0/16 via 10.128.0.2 dev tun0 linkdown
192.168.0.0/24 dev eno1 proto static
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.5 metric 100
192.168.0.1 dev eno1 proto dhcp scope link src 192.168.0.5 metric 100
ip a:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 98:90:96:c0:1b:8c brd ff:ff:ff:ff:ff:ff
altname enp0s25
inet 192.168.0.5/24 metric 100 brd 192.168.0.255 scope global dynamic eno1
valid_lft 66730sec preferred_lft 66730sec
inet6 fe80::9a90:96ff:fec0:1b8c/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 8a:2d:38:87:5d:5c brd ff:ff:ff:ff:ff:ff
inet 10.128.0.2/32 scope global tun0
valid_lft forever preferred_lft forever