MichaIng
hello

As you have noticed while connected to the VPN the port 50517 is blocked and while you have set into static it causes connection failure to the peers on your Torrent client. It would be great if you could set to randomize port and disable port forwarding as this feature does not work while under the VPN connection.

Afterward, restart VPN connection and torrent client to see if the issue persists. Also, you can try using a different client such as qBittorrent.

Let us know how it will go!

Best Regards,
Amoldo Siles
Customer Success Manager
NordVPN.com

This has no posetive result.

I’ve tried also … an same result a we already know.

MichaIng
Hello

I’m back and I have a solution and some results of my tryouts and i hope you convert some of DietPi Optimized Software

So I’ve tried all of this with XU4Q.

As Result: Torrenting with an “open Port” does not work with NordVPN! That’s not possible they don’t support this feature. I’ve tried 4 VPN Provider and the free one you have posted before.
I have found only Hide.me and PIA they support this feature and the price is “harder” acceptable. For PIA, there you have to Open a Port via script and you’ll get as result of this operation an open port:

I have modified following htpcguides-guides scripts for that:

pia.sh

#!/usr/bin/env bash
# Source: http://www.htpcguides.com
# Adapted from https://github.com/blindpet/piavpn-portforward/
# Author: Mike and Drake
# Based on https://github.com/crapos/piavpn-portforward

# Set path for root Cron Job
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

USERNAME=USERNAME
PASSWORD=PASSWORD
VPNINTERFACE=tun0
VPNLOCALIP=$(ifconfig $VPNINTERFACE | awk '/inet / {print $2}' | awk 'BEGIN { FS = ":" } {print $(NF)}')
CURL_TIMEOUT=5
CLIENT_ID=$(uname -v | sha1sum | awk '{ print $1 }')

# set to 1 if using VPN Split Tunnel
SPLITVPN="1"

#get VPNIP
VPNIP=$(curl -m $CURL_TIMEOUT --interface $VPNINTERFACE "http://ipinfo.io/ip" --silent --stderr -)
#echo $VPNIP

#request new port
PORTFORWARDJSON=$(curl -m $CURL_TIMEOUT --silent --interface $VPNINTERFACE  'https://www.privateinternetaccess.com/vpninfo/port_forward_assignment' -d "user=$USERNAME&pass=$PASSWORD&client_id=$CLIENT_ID&local_ip=$VPNLOCALIP" | head -1)
#trim VPN forwarded port from JSON
echo $PORTFORWARDJSON

PORT=$(echo $PORTFORWARDJSON | awk 'BEGIN{r=1;FS="{|:|}"} /port/{r=0; print $3} END{exit r}')
echo $PORT

#change firewall rules if SPLITVPN is set to 1
if [ "$SPLITVPN" == "1" ]; then
#change firewall rules if necessary
    IPTABLERULETWO=$(iptables -L INPUT -n --line-numbers | grep -E "2.*reject-with icmp-port-unreachable" | awk '{ print $8 }')
    if [ -z $IPTABLERULETWO ]; then
        sudo iptables -D INPUT 2
        sudo iptables -I INPUT 2 -i $VPNINTERFACE -p tcp --dport $PORT -j ACCEPT
    else
        sudo iptables -I INPUT 2 -i $VPNINTERFACE -p tcp --dport $PORT -j ACCEPT
    fi
fi

also Firewallscripts for stratup and shutdown of tunnel and so on

iptables.sh

! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com

export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="<localip>"
export NETIF="eth0"

# flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter

# mark packets from $VPNUSER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark

# allow responses
iptables -A INPUT -i $INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# block everything incoming on $INTERFACE to prevent accidental exposing of ports
iptables -A INPUT -i $INTERFACE -j REJECT

# let $VPNUSER access lo and $INTERFACE
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT

# all packets on $INTERFACE needs to be masqueraded
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# reject connections from predator IP going over $NETIF
iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT

# Start routing script
/etc/openvpn/routing.sh

exit 0

routing.sh

#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com

VPNIF="tun0"
VPNUSER="vpn"
GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache

# run update-resolv-conf script to set VPN DNS
/etc/openvpn/update-resolv-conf

exit 0

as last the openvpn 4 PIA

client
dev tun
proto udp
remote <PIA-SERVER> <PIA PORT: 1197 or 1198 depends on server>
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login.txt
auth-nocache
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
script-security 2
route-noexec

#up and down scripts to be executed when VPN starts or stops
up /etc/openvpn/iptables.sh
down /etc/openvpn/update-resolv-conf

and PIAs ovpn-files are in client subfolder placed.

login.txt only PIAs USERNAME and PASSSWORD written in.

the resultport of pia.sh is the open one for transmission. don’t use uPnP and DHT, LPD, uTP … all this should disabled.
After that Transmission is happy.

Also this mysterious Splittunnel I’ve tried. So for my experience I think it’s a must have. Otherwise you cannot open Website for remote torrenting.

Also this nGix Reverse Proxy …

At this Point I’ve had some Problems with clean installs. Sometimes doing a fresh install, the setup of dietpi routine runns in an endless loop.
I have to break it with control C and doing Dietpi-Update; restart and finish the setup.

You have Dietpi-NordVPN … If it’s possible to modify this so that PIA or others get’s also a GUI and Splittunel. I have had really massive problems with this iptables stuff.
Also an userscript like that pia.sh above at startup to get an open port

A re-setup is a little complicated … this would be very very nice from you guys if you modify NORD VPN for PIA an these iptables scripts. For all of us users, security should always have a little space at our playgrounds at these days.

Have fun and nice days
yours

luzi

please apologize my english it’s not my best feature

i tried the split tunneling technique with Deluge + nordvpn but the time it is showing is in years. Can it be done via express vs nordvpn as my subscription expires soon and have express as well so can express deliver the same socks5

rawla
Hi

Have a look at that page: https://www.bestvpn.com/vpn-comparison/best-vpn-torrenting/

ExpressVPN has also direct no Port Forwarding like NordVPN. But on Express Homepage I’ve also found something: There you’ll use a sprecial Router and flash a Express Firmware on it. There u can configure Port Forwarding, but I’m not really sure, if this is for Traffic through the tunnel or only local Forwarding. I haven’t read all of it.

I’m Happy with PIA for the next 2y. After that we will see

luzifia
Actually it makes sense that requests from outside through your VPN to your machine do not work. The whole idea behind the VPN is to have the peers outside not see you, but only see the VPN provider instead. So you are anonymous. But of course when sending a request from outside to the NordVPN server, how should it know which VPN client this should be delivered to? So it would need that each client, connected to a certain server, is allowed to have it’s own IP range to be forwarded. This partly breaks the anonymity idea, but when users actively enable it, of course it makes sense and is up to them to configure their clients and answering services on those ports safe.

As of course this kind of port “reservation” for users is limited to the amount of available ports and often the same ports are used for the same kind of communication, it is an additional effort for the VPN provider, limits the usage of their servers etc.
So reasonable that those are more expensive then, respectively you have to pay extra to have a certain port (range) forwarded to your server.

But indeed for torrent seeding this is an issue. Usually you want to allow external leachers to connect to your torrent client directly on the port that you specified when downloading/connecting first. I am no expert in this, but I guess usually the port you specified (or simply used) when connecting/downloading the torrent file first, is somehow saved in the network/tracker, so other peers how (on which port) to connect to each peer that offers seeding?

But actually AFAIK, as long as the connection is opened, peers are still able to download from yours? They just cannot establish a connection themselves? I remember those days when actively torrenting myself and mostly seeding worked well even without ports being forwarded from my router (same result then if this is not done by your VPN provider). It just took a longer time, usually less users connected for leaching and it only worked directly after downloading.

I guess you use a private tracker that has strickt rules about quote and assures that you are reachable without being connected already? For such private trackers the VPN has limited benefit anyway as long as the transfer traffic itself is encrypted (default settings in most torrent clients, in case assured by DietPi via settings adjustment on install). Only the members can see what you download and upload and in private trackers, yeah not everyone can join as the idea behind it.


About adding PIA: So far it’s DietPi-NordVPN, not DietPi-PIA . Perhaps we turn it into DietPi-VPN and add support for other VPN providers in the feature, but that’s currently out of scope.

I am having now a look into the split VPN thing. Actually I thought that direct connection via domain/IP to your machine should still work.

In my case seeding works well with UDP and TCP server without SOCKS5 (didn’t test it with so far).
But yeah it’s up to my clients to “contact” peers for seeding. But Deluge handles this not too bad.

So as long as the tracker does not have strict rules that one NEEDS to be directly reachable, this is no large issue.
But indeed for a VPN provider that claims to be the best for torrenting, at least single port forwarding could be expected. E.g. allowing a single chosen port each client allow still >60,000 clients each server.

About the split tunnelling. Actually I found this to be the easiest way:

# Add new routing table
G_CONFIG_INJECT '42[[:blank:]]' '42 bypass_vpn' /etc/iproute2/rt_tables
# Set WAN gateway the default gateway for this table (instead of tun0)
ip r add default dev wlan0 via 192.168.178.1 table 42
# Mark all [new] incoming connections from WAN iface
iptables -t mangle -A PREROUTING -i wlan0 [-m conntrack --ctstate NEW] -j CONNMARK --set-mark 42
# Mark all outgoing packets that belong the the marked connection
iptables -t mangle -A OUTPUT -m connmark --mark 42 -j MARK --set-mark 42
# Enable the new routing table for marked outgoing packets
ip rule add fwmark 42 table 42

• So finally all connections that are established outside of the VPN will be as well answered outside of the VPN.
• This could be added to ExecStartPre of the VPN service and removal of these rules/table to ExecStopPost.
• -m conntrack --ctstate NEW is optional. Not sure if its beneficial at all. Probably less doubled marking but an additional check + match module to load. But
• Table number, CONNMARK and MARK can be freely chosen and do not need to match. I just took 42 for all of them for no special reason.

MichaIng

About the split tunnelling. Actually I found this to be the easiest way:

Add new routing table

G_CONFIG_INJECT ‘42[[:blank:]]’ ‘42 bypass_vpn’ /etc/iproute2/rt_tables

Set WAN gateway the default gateway for this table (instead of tun0)

ip r add default dev wlan0 via 192.168.178.1 table 42

Mark all [new] incoming connections from WAN iface

iptables -t mangle -A PREROUTING -i wlan0 [-m conntrack --ctstate NEW] -j CONNMARK --set-mark 42

Mark all outgoing packets that belong the the marked connection

iptables -t mangle -A OUTPUT -m connmark --mark 42 -j MARK --set-mark 42

Enable the new routing table for marked outgoing packets

ip rule add fwmark 42 table 42

>
>
> * So finally all connections that are established outside of the VPN will be as well answered outside of the VPN.
> * This could be added to ExecStartPre of the VPN service and removal of these rules/table to ExecStopPost.
> * -m conntrack --ctstate NEW > is optional. Not sure if its beneficial at all. Probably less doubled marking but an additional check + match module to load. But
> * Table number, CONNMARK and MARK can be freely chosen and do not need to match. I just took 42 for all of them for no special reason.
>

I don't really know how to integrade this in my setup.
"42" is userid? or ... how you mark the packs from transmission. or how you sperate trasm.packs from the rest.
I did not really understand this by now.
For me I've found a working solution I told before: Your's seems to be easier... ?

Thank you for your assistance to find a solution.

luzifia
42 is just a random number. It just needs to be the same in all commands. It is the identifier:

• If an packet is coming from the wlan0 interface (instead of from tun0), then mark the whole connection with this number 42.
• When a packet is about to be sent, check if it’s holding connection has the 42 mark and in case mark the packet as well with 42.
• The “ip rule” then says that packets with 42 mark should use the routing table that uses wlan0 as default gateway. I gave this route table as well the name 42 .

However if you found a solution that is fine. I will see if I can implement mine for testing into DietPi-NordVPN.

MichaIng

Hi There
Thx 4 Response

I’ve read a lot for that routing things. So your solution has one problem, I think: All your traffic from WLAN goes through the tunnel. But the thing should be, that all traffic from transmission should redirected and to have a working Tansmission-Website. So I’ve marked all packs from the processes which are running under “vpn” user and a reverseproxy with ngix . The rest is nearly the same.
Also NordVPN is a really good Provider, I use this for me and my fam. Handy and Tablett.
But it is not possible to use Transmission in a usefull way with Nord.
And PIA I use for KODI and Transmission, for Portforwarding, and an OpenWrt Router (Raspi 3 B+ with USB Dongle and Switch; and Banana Pi R2; I’ve done both builds for a friend and me) ← There I’ve installed OpenVPN and configured all traffic through the tunnel and with firewall rules a block-rule if tunnel down.

But it was fine to read, that you think about that, to implement it into Dietpi-NordVPN. I’ve learned very much from your scripts, I’ve read.
Ty 4 all your work.

Luzi

The whole point about the marks is that all connections that are incoming through WiFi (initiated externally, e.g. you access the web UI) stay outside the tunnel, since all those packets are marked and answers send through wlan0 interface (instead of tun0 = VPN) with 192.168.178.1 being my router IP.

But all requests that are initiated from the device are tunnelled, so it does not work if a certain software title needs to initiate communication outside of the VPN as well. For this indeed the marks need to be done different, e.g. based on user, as you suggested.

Are you sure about it? I clicked on your link and received a 502 error.
Anyway, I think I know what you’re talking about, and here is the similar article: What's an online casino New Zealand? How find the best casino

The link is one year old and has been updated meanwhile. I fixed it: https://www.bestvpn.co/free-vpn/
However I’m no big fans of such overviews. Take care who is making those and of it can be taken serious and professional of if the author is payed by a VPN provider to rank it 1st. I suggest to search for independent user experiences for each particular provider, or assure that the author is trustable .

Ah and about https://pilovali.nl/free-vpn/, Pilovali is one of our prior contributors and provided web hosting for dietpi.com on our early days. So as in person I can say that he is trustable. However details about performance, uptime and maintenance of his VPN service you’d better ask him directly.