NordVPN - Transmission,Plex - Seeding not work, no Port Forwarding

Having issues with your DietPi installation, or, found a bug? Post it here.
luzifia
Posts: 36
Joined: Tue Jun 28, 2016 8:48 am

NordVPN - Transmission,Plex - Seeding not work, no Port Forwarding

Post by luzifia » Fri Mar 15, 2019 12:19 pm

Hello friends,

I use NordVPN and Transmission from Dietpi and it's not useful to use this in combination, because NordVPN does not allow Port forwarding.
Does port forwarding work with a VPN? Port forwarding and triggering could work with a VPN protocol in general, but not with NordVPN. Our apps block almost all port communication from within your device except for the ones most commonly used by popular applications. This was a tough decision that may inconvenience some users, but we’d like to explain why we did this. Browsing the internet with open ports opens you up to a number of security risks. Blocking access to all ports except those that are essential for our VPN to operate and for you to enjoy the internet is part of how NordVPN keeps you secure. We wouldn’t be able to maintain our excellent security track record otherwise. wrote:
https://nordvpn.com/blog/port-forwarding/

port forwarding is essentialliy for seeding. It's possible to leech, but not to seed. So for many funny things, you cannot combine this.

I have not found a solution to configure transmission for SOCKS5, which NordVPN supports;

Also on my installation with dietpi i've added Plexmediaserver. This is a really funny thing, but if you use NordVPN you cannot access your plexserver externally anymore. Here we have the same problem: NordVPN does not allow Port Forwarding, so your Plexserver will not bee accessable anymore. Plex uses as standard Port 32400.

So I cannot follow the recommentation of DietPi to use the combination with NordVPN.

bye
Luzi

User avatar
MichaIng
Legend
Posts: 1014
Joined: Sat Nov 18, 2017 5:21 pm

Re: NordVPN - Transmission,Plex - Seeding not work, no Port Forwarding

Post by MichaIng » Sat Mar 16, 2019 10:19 pm

@luzifia
Many thanks for your report.

Hmm, DietPi-NordVPN is not "Our apps" (no official NordVPN software) and AFAIK we do not block any ports. The VPN is used for outgoing connections so target hosts just see NordVPN requesting instead of your machine. But when you access your machine directly (via local IP or domain), the configured VPN does not/should not have any effect.

Generally our NordVPN setup uses OpenVPN and adds routes so outgoing traffic is tunnel to NordVPN servers. But this has absolutely not effect on port forwarding, which is configured on the router. OpenVPN has logically no chance to influence which port is forwarded by the router and which not, it cannot even know anything about this.
So what the quote means (most likely) is that the official NordVPN clients will include a firewall that blocks incoming connections on the machine itself. So even that the router forwards the ports, the machine itself blocks incoming requests.
But again, DietPi-NordVPN does not configure the firewall (iptables on Linux) to block incoming connections. It just configures outgoing requests to be tunnelled.

So to verify your issue:
- You installed Plex and Transmission via DietPi-Software
- Both were working fine, allowing external web UI access, leaching and seeding as the router forwards the required ports.
- Then as fast as you install DietPi-NordVPN, Plex web access (externally) and Transmission seeding is broken? Does local access to Plex still work?

luzifia
Posts: 36
Joined: Tue Jun 28, 2016 8:48 am

Re: NordVPN - Transmission,Plex - Seeding not work, no Port Forwarding

Post by luzifia » Sun Mar 17, 2019 1:05 pm

Hello MichaIng,

Thank you for the fast reply.

So
- yes
- yes
- yes
are the answers to your questions

also:

I have asked Dr. Google for some ideas and found something:
https://www.htpcguides.com/force-torren ... ntu-16-04/
https://www.htpcguides.com/configure-de ... -debian-8/

So I thought, change Transmission with Deluge for trrenting and configure Deluge with NordVPN SOCKS5
and finally the funny things from htpcguides.

- I've now created a new testinstallation on XU4
-- Dietpi - OpenSSH, NGIX, SAMBA, NordVPN, MC

Problem now is: where create up and down scripts for iptables and routing tables to realize the vpn-split-tunnel?
in dietpi installation there ist no "openvpn.conf" in /etc/openvpn
the NordVPN Dietpi-Services Wrapper hides succesfully, where to find the configfiles, so that I can add

Code: Select all

#up and down scripts to be executed when VPN starts or stops
up /etc/openvpn/iptables.sh
down /etc/openvpn/update-resolv-conf
Also I guess a problem with the user; I don't really know which user runs Dietpi-NordVPN and Deluge and
where to change the running user?
This is important as I understood to flag the packets for the reverse proxy.
plex user also needed to adjusted. may i can solve this with override.conf in /etc/systemd/system/plexmediaserver.service.d
where also the plexlib can be transferred an the new location declared.
Your Questions you asked tells me you understood what I want to tinker.

ODROID HC2 SSD with plex, -deluge- and ngix for reverseproxy.
deluge (torrent and web) and all other (installation apt-get, ...) communication take the tunnel except plex.
plex user take the normal way out. so the normal plex function communcation via eth0 and the rest tun0.
NordVPN support SOCKS5 and so the torrent seeding function should also work. the revere proxy allows me to connect the tunneled deluge website.

So this is my plan. I hope I have understood all in these guides, so that my dreamy plan, can be realized.

I hope you can help me with these problems or you have a script to realize that or something like that.

User avatar
MichaIng
Legend
Posts: 1014
Joined: Sat Nov 18, 2017 5:21 pm

Re: NordVPN - Transmission,Plex - Seeding not work, no Port Forwarding

Post by MichaIng » Sun Mar 17, 2019 4:46 pm

The OpenVPN config used is within the ovpn_<proto> sub directories and then the one that you selected via DietPi-NordVPN.

Note that Dietpi-NordVPN is not any kind of daemon or something. It just shows you the available NordVPN servers and configures a systemd unit to start OpenSSH tun0 interface with the above mentioned config file to connect on boot automatically. It needs to be run as root user to create the systemd unit but checks this as well/throws an error if executed with non-root.
So the real process that is finally running is OpenVPN and as VPN it must be running as root anyway to be able to configure interfaces. See: systemctl cat dietpi-nordvpn

Deluge runs as it's own user deluge, with soon released DietPi v6.22 it will be debian-deluged to match the pre-created user of the deluge Debian package.
Plex runs as plex ;).

But Deluge and Plex users should not play any role. It is only about OpenVPN and the set routes and redirects. Deluge and Plex as frontent software only send their requests to the default gateway and listen to any package that reaches the configured port. So don't mess with Deluge and Plex users, as this will not solve anything and only create follow up errors with permissions and more. Use the users as they are instead if you require them as sort of flag.

I made some research and indeed it seems to be an issue that when connecting via NordVPN to a torrent that others can't download from your server since requests to specific (bittorrent) ports are not forwarded by NordVPN back to your server. Also note that there are explicit P2P servers, perhaps those are required to allow seeding: https://nordvpn.com/de/servers/tools/ > "Show advanced options" > Change "Standard-VPN" to "P2P"
Not sure why/how SOCKS5 solves that, but it seems to be generally advised for enhanced privacy as well. We might want to add this hint to the NordVPN docs, that when using P2P traffic one should choose a NordVPN server that explicitly allows P2P (https://nordvpn.com/de/servers/tools/ > "Show advanced options" > Change "Standard-VPN" to "P2P"), enable Proxy > SOCKS5 in the Torrent software and add their NordVPN server with port 1080. I hope this indeed solves your seeding issue as well.

What I still don't get is the Deluge/Plex website connection issue. If you forward port 8112 and 32400 from your router to the server, you should be able to connect remotely regardless of active/inactive VPN. The VPN is just used for outgoing requests, but you should of course still able to connect directly with the external IP/domain of your server.

In case of Plex, why do you want it to connect outside of the VPN? As said incoming requests (connecting to web UI) should work regardless of this, so it would only affect Plex connecting to plex.tv server for authentication and updates and such. But since there is not much traffic done, I would just skip all the reverse proxy hassle and leave Plex connect through VPN as well. Should not hurt.

luzifia
Posts: 36
Joined: Tue Jun 28, 2016 8:48 am

Re: NordVPN - Transmission,Plex - Seeding not work, no Port Forwarding

Post by luzifia » Sun Mar 17, 2019 7:42 pm

Hi MichaIng,

I've done some Experiments with my XU4

Fresh Dietpi install
SAMBA, NGIX, OpenSSH, MC, Dietpi-NordVPN, Deluge
I've all installed standard without any tweaks.

Now some Pics as Documentation.
curl_info.PNG
curl_info.PNG (6.68 KiB) Viewed 35 times
router_config.PNG
nordvpn_con_conf.PNG
nordvpn_con_conf.PNG (11.01 KiB) Viewed 35 times
deluge_Torrents.jpg
deluge_settings.jpg
I haven't found a sollution till now ...
If you don't have an further tipps, I try the guides. But I think with NordVPN there is no chance to solve the seed-problem, because the quote i'he written in the first post from NordVPN.

luzifia
Posts: 36
Joined: Tue Jun 28, 2016 8:48 am

Re: NordVPN - Transmission,Plex - Seeding not work, no Port Forwarding

Post by luzifia » Sun Mar 17, 2019 7:47 pm

Hi MichaIng,
SOCKS5.PNG
https://support.nordvpn.com/General-inf ... -SOCKS.htm

Thats the reason why i thought that the SOCKS5 Server config solve the seeding problem ...
but it doesn't :-(

User avatar
MichaIng
Legend
Posts: 1014
Joined: Sat Nov 18, 2017 5:21 pm

Re: NordVPN - Transmission,Plex - Seeding not work, no Port Forwarding

Post by MichaIng » Sun Mar 17, 2019 10:43 pm

Just checked and all German NordVPN servers claim to support P2P and SOCKS5, so this is not the issue.

Did you configure the SOCKS proxy as well for "Tracker" and "DHT"? Aside that everything looks like it should, matching the official docs: https://nordvpn.com/de/tutorials/socks5/deluge/

Your second pic is port forwarding in the router?

And when you disconnect from NordVPN, seeding works again? (SOCKS proxy should be possible to leave active as this is independent from the VPN tunnel)

In case I would contact NordVPN support about this:
Mention you use Debian (to make them asking/thinking irrelevant distractions) with the default OpenVPN APT package (which is what DietPi-Software installs) and their official de521.nordvpn.com.udp.ovpn config.
Most important is then indeed that seeing (via Deluge) works without VPN connection active and broken with VPN active, regardless of SOCKS being enabled or not (following https://nordvpn.com/de/tutorials/socks5/deluge/), so it is clear that port forwarding in the router is enabled and the network in general works as expected.

I am still not sure if I understood the NordVPN-side port forwarding issue that you and also others report, especially since I found way more reports about successful seeding through NordVPN tunnel. And 2P2 logically inherits that both sides can reach each others, so it would not make sense if NordVPN claimed 2P2 functionality but then would not forward the requests. :?

luzifia
Posts: 36
Joined: Tue Jun 28, 2016 8:48 am

Re: NordVPN - Transmission,Plex - Seeding not work, no Port Forwarding

Post by luzifia » Mon Mar 18, 2019 5:09 pm

hello MichaIng.

Yes Debian - Dietpi fresh install :P

Yes, I've tried nearly all of them ... also some uk server as well - same result.

Yes, the second one ist Portforwarding in my router ... I also have 1080 and 8112 UDP/TCP also configured.
Yes, I've configured all of them with the same infos as the official documents told me.

I've done deluge with and without SOCKS5 and with or without tunnel.

4th Pic. (1) is a torrent from TOR to check the tunnel and (2) is a torrent from a tracker.
I don't know if you can read german so at (2) this means something like:
You are not allowed to seed, because your are not reachable - please read our FAQ.
In the FAQ: The Error seems to be a port block in your router.

So I've closed the tunnel and it runs.

I also have a second system running - nearly same - but there is transmission and plex.
Both are running perfect - and Transmission is connectable.
For that i've done some routes in my router as well.

I also tried NordVPN on this system. Transmission is not able to configure a Proxy, but
without VPN no Problems. With Tunnel nothing works as it should.
For normal use (android-handy, ios-handy, win10-64Bit) NordVPN works great, sometimes there are disconnects, but for the use I (we) want to use it - well, i seems to be not the right VPN.

luzifia
Posts: 36
Joined: Tue Jun 28, 2016 8:48 am

Re: NordVPN - Transmission,Plex - Seeding not work, no Port Forwarding

Post by luzifia » Mon Mar 18, 2019 5:59 pm

Some Pics

TunnelOff
dietpi_tunnel_off.PNG
Proxy Page 2
RouterProxy2.PNG
Leech(1) Tunnel (-) Proxy (+)
ToorentLeechErrOhneTunMitProxy.PNG
Leech(2) Tunnel (-) Proxy (-)
TorrentLoadOKOhneProxyOhneTun.PNG
Leech(3) Tunnel (+) Proxy (-)
TorrentMitTunnelOhneProxy.PNG
Leech(0) Tunnel (+) Proxy (+)
have a look above please

User avatar
MichaIng
Legend
Posts: 1014
Joined: Sat Nov 18, 2017 5:21 pm

Re: NordVPN - Transmission,Plex - Seeding not work, no Port Forwarding

Post by MichaIng » Mon Mar 18, 2019 9:18 pm

@luzifia
I just rechecked and reread much.

First I would not (yet) give up on NordVPN. I read so much about it and for very most users P2P (torrenting) works very well with them and they even promote this and provide many guides to setup this explicitly and also with Deluge in particular.

I checked our DietPi-NordVPN install and it follows exactly their docs:
- Installing OpenVPN and run with official configs from NordVPN: https://support.nordvpn.com/Connectivit ... rminal.htm and https://nordvpn.com/de/tutorials/linux/openvpn/
- Our dietpi-nordvpn.service runs the openvpn command with mentioned arguments (using the chosen server config) and login credentials.
- You chose a P2P capable server (all in Germany are)
- Your Deluge config to configure SOCKS5 exactly as: https://support.nordvpn.com/Connectivit ... Deluge.htm and https://nordvpn.com/de/tutorials/socks5/deluge/

So again with this I would consult the NordVPN support.

I also found the guides you obviously used to setup a split tunneling connection:
- Enable split tunneling for a certain user/group: https://www.htpcguides.com/force-torren ... ntu-16-04/
- Configure Deluge to work with split tunneling: https://www.htpcguides.com/configure-de ... ntu-16-04/
However to keep things separated assure first that torrenting (seeing) works with default setup, tunneling all traffic through the VPN. This split tunneling setup breaks local connection to Deluge from outside the VPN (in the first place), which is what you faced before.

One quick note:
Since you explicitly forward the configured Deluge/torrent ports within your router, disable UPnP in your Deluge web UI as well. This is only relevant if you want to allow Deluge opening the required port(s) within the router automatically, and, in case the router supports this + enabled. But it is a security vulnerability, so I would always configure port forwarding manually and disable all remote control protocols within the router.

Post Reply