Preventing DNS leaks when using a VPN connection

I'm not familiar with VPN. Especially, I don't know how you can actually detect that it is down (appart maybe for using a regular ping on the VPN server).

But once, you can detect the VPN is down, it is simply a matter of using "killall qbittorrent" to switch qBittorrent off.

Thank you for taking the time to answer. Yes, there are ways to detect
when the VPN connection goes down, and when that happens there is no
problem in switching qbittorrent off. What I am looking for, though,
is a way of having qbittorrent switched off automatically when the VPN
connection goes down.

With Windows, there is a program called VPNetMon that will instantly
switch off the bittorrent client when the VPN connection goes down,
and when the VPN connection is restored, VPNetMon will automatically
switch the torrent client on again. However, VPNetMon doesn't work
with Ubuntu.

So what I am looking for, again, is a way of having qbittorrent
switched off automatically when the VPN connection is down, and then
switched on again automatically when my VPN provider restores the
connection.

I can understand that all that may seem difficult if you're not
familiar with VPN, but I appreciate your response - it was very kind
of you.

Best regards

On 30 April 2010 00:03, Christophe Dumez
<email address hidden> wrote:
> Your question #108738 on qBittorrent changed:
> https://answers.launchpad.net/qbittorrent/+question/108738
>
>    Status: Open => Answered
>
> Christophe Dumez proposed the following answer:
> I'm not familiar with VPN. Especially, I don't know how you can actually
> detect that it is down (appart maybe for using a regular ping on the VPN
> server).
>
> But once, you can detect the VPN is down, it is simply a matter of using
> "killall qbittorrent" to switch qBittorrent off.
>
> --
> If this answers your question, please go to the following page to let us
> know that it is solved:
> https://answers.launchpad.net/qbittorrent/+question/108738/+confirm?answer_id=0
>
> If you still need help, you can reply to this email or go to the
> following page to enter your feedback:
> https://answers.launchpad.net/qbittorrent/+question/108738
>
> You received this question notification because you are a direct
> subscriber of the question.
>

--
Robert John Bennett

Ernst-Gnoss-Strasse 22
40219 Dusseldorf
Germany

E-Mail: <email address hidden>
Alternate E-Mail Address: <email address hidden>

Telephone: +49 211 586 4847
Mobile: +49 152 0285 4626

Website:
http://blogs.law.harvard.edu/revision

Facebook: http://www.facebook.com/

Let's approach this differently since I'm no VPN expert.

I'm guessing that you have a particular network interface (e.g. vpn0) dedicated to the VPN connection, right?
Apparently, the problem seems to be that qBittorrent listens on all interfaces and not only on "vpn0". Do you think it would solve the problem if :
- I add an option to qBittorrent to allow the user to define the network interface he wishes to use (and only this one).

I think this is easy to implement in qBittorrent and I would do it if you think it will help.

Actually, I'm certainly no VPN expert, and I'm sure you know a lot
more about computers than I do. To give you more information about my
two VPN connections, I've attached to this e-mail a copy of the
instructions I used to set up those connections on my laptop with the
Ubuntu OS.

It seems to make sense, as you wrote, to "add an option to qbittorrent
to allow the user to define the network interface he wishes to use
(and only this one)."

Since I really know very little about computers, it's hard for me to
tell how this will work, but it would be easy to test. If your
suggestion is right, then this would happen (as happens with VPNetMon
and uTorrent on Windows):

1. The user establishes a VPN connection.

2. The user then runs qbittorrent.

3. If the VPN connection is interrupted (e.g., the VPN provider has to
do some maintenance, or the user breaks the VPN connection
deliberately in order to test this function), then qbittorrent closes
immediately and automatically.

4. When the VPN connection is restored, then qbittorrent starts again
automatically.

As I said, this is what VPNetMon with a torrent client (like uTorrent)
on a Windows OS does. This VPNetMon capability is especially useful
when downloading a large file over a VPN connection, because the user
cannot always be at his computer to check if the VPN connection is
down or not.

I have to say that so far, using qbittorrent and VPN, there has been
no problem, because the VPN connection has never been interrupted, but
I'd like to be on the safe side. When I use uTorrent on my Windows 7
computer, VPNetMon stops the download if VPN is interrupted and starts
uTorrent again when the VPN connection is working again.

There's certainly no need to find a solution to this problem quickly,
though. Ubuntu and qbittorrent work great on my laptop, and it's good
to have that one computer that is free of Windows. However, if I have
a large file to download, I'll use uTorrent and VPNetMon on my Windows
7 computer, just to be on the safe side, for the time being.

All the best to you, and again, many thanks.

On 30 April 2010 08:38, Christophe Dumez
<email address hidden> wrote:
> Your question #108738 on qBittorrent changed:
> https://answers.launchpad.net/qbittorrent/+question/108738
>
>    Status: Open => Needs information
>
> Christophe Dumez requested for more information:
> Let's approach this differently since I'm no VPN expert.
>
> I'm guessing that you have a particular network interface (e.g. vpn0) dedicated to the VPN connection, right?
> Apparently, the problem seems to be that qBittorrent listens on all interfaces and not only on "vpn0". Do you think it would solve the problem if :
> - I add an option to qBittorrent to allow the user to define the network interface he wishes to use (and only this one).
>
> I think this is easy to implement in qBittorrent and I would do it if
> you think it will help.
>
> --
> To answer this request for more information, you can either reply to
> this email or enter your reply at the following page:
> https://answers.launchpad.net/qbittorrent/+question/108738
>
> You received this question notification because you are a direct
> subscriber of the question.
>

--
Robert John Bennett

Ernst-Gnoss-Strasse 22
40219 Dusseldorf
Germany

E-Mail: <email address hidden>
Alternate E-Mail Address: <email address hidden>

Telephone: +49 211 586 4847
Mobile: +49 152 0285 4626

Website:
http://blogs.law.harvard.edu/revision

Facebook: http://www.facebook.com/

Hi,

In one your messages, you wrote, "I'm guessing that you have a particular network interface (e.g. vpn0) dedicated to the VPN connection, right? Apparently, the problem seems to be that qBittorrent listens on all interfaces and not only on "vpn0". Do you think it would solve the problem if : - I add an option to qBittorrent to allow the user to define the network interface he wishes to use (and only this one). I think this is easy to implement in qBittorrent and I would do it if you think it will help."

I think it might help and I would like to try it, if you want to implement it. I've read in the forums that there are a number of people who would like the option, in Ubuntu, of having the torrent client automatically terminate when their VPN connection is interrupted. As I've mentioned, this problem doesn't exist with Windows because a little program called VPNetMon will stop the torrent client if the VPN client fails. VPNetMon, however, works only with WIndows, and not even with WINE.

So if you could "add an option to qBittorrent to allow the user to define the network interface he wishes to use (and only this one)" I think a lot of Ubuntu users would appreciate it.

Best regards,

Robert Bennett

Hi,

I use this kind of setup with openvpn and want all torrent connections over the tun0 interface; it's pretty straightforward to do what you want using firewall rules, especially with shorewall where you can assign a rule that prevents "leaks" via your normal internet connection. I can describe how to do it in email if you want, it's not too hard..

You need to be able to bind qbittorrent to specific interface and specify the external IP; to avoid loops and to report to the trackers. I'm getting lots of blocked outgoing packets to my external IP from qbittorrent; I'm no programmer but have got the source to have a look if this is straightforward.

Some other torrent client used an option to check whether the interface existed, if not it didn't bind. This may be easier...?

Hi,

Thank you for your message. Yes, I'd appreciate it if you could
explain your setup in an e-mail. But please make the explanation as
clear and as simple and as detailed as possible, if you have the time
to do that. I'm just an average computer user and I know very little
about Ubuntu or qbittorrent.

Also, i have never heard of Shorewall.

I really, really appreciate the fact that you would take the time and
make the effort to send an explanation.

Best regards,

Bob Bennett

On 2 June 2010 03:49, Jameen Aziz <email address hidden> wrote:
> Your question #108738 on qBittorrent changed:
> https://answers.launchpad.net/qbittorrent/+question/108738
>
> Jameen Aziz posted a new comment:
> Hi,
>
> I use this kind of setup with openvpn and want all torrent connections
> over the tun0 interface; it's pretty straightforward to do what you want
> using firewall rules, especially with shorewall where you can assign a
> rule that prevents "leaks" via your normal internet connection. I can
> describe how to do it in email if you want, it's not too hard..
>
> You need to be able to bind qbittorrent to specific interface and
> specify the external IP; to avoid loops and to report to the trackers.
> I'm getting lots of blocked outgoing packets to my external IP from
> qbittorrent; I'm no programmer but have got the source to have a look if
> this is straightforward.
>
> Some other torrent client used an option to check whether the interface
> existed, if not it didn't bind. This may be easier...?
>
> --
> You received this question notification because you are a direct
> subscriber of the question.
>

--
Robert John Bennett

Ernst-Gnoss-Strasse 22
40219 Dusseldorf
Germany

E-Mail: <email address hidden>
Alternate E-Mail Address: <email address hidden>

Telephone: +49 211 586 4847
Mobile: +49 152 0285 4626

Website:
http://blogs.law.harvard.edu/revision

Facebook: http://www.facebook.com/

Actually you'll probably need to learn the basics of shorewall -- it's essentially
a nicer interface to netfilter (iptables) firewall which is standard on
Linux - although you *can* just code your own firewall rules with iptables
(I used to!) shorewall has a nice clean approach to things, and stops you
making silly errors like blocking access to your own loopback connection.
I think the first solution is easier for now.. but FYI I've detailed the
general shorewall setup below as I use it -- it's not perfect either and
may be too time consuming. Doesn't stop you installing shorewall and
having a play with it, it won't affect anything by default since it's
disabled in /etc/default/shorewall.. you can then take a look at the docs
and get an idea how it works.

there is a quick and dirty way
of killing qbittorrent in the event that openvpn connection goes down. In
your openvpn configuration (found in /etc/openvpn/something.conf) you can
define a script to run when the vpn connection dies - which means you could just
add the following two lines at the bottom of the /etc/openvpn/<something>.conf:

(edit with sudo vi /etc/openvpn/... or whichever editor you use)

--down killqbt.sh
--script-security 2

(you may already have script-security [x] just change it to 2).

then you can create a file in /etc/openvpn called killqbt.sh. You'll need
to do this as root so:

sudo su
cd /etc/openvpn
cat<<EOF>>killqbt.sh
#!/bin/sh
killall -wq qbittorrent || killall -q -s9 qbittorrent
EOF
chmod +x killqbt.sh

after you restart openvpn with something like...

sudo invoke-rc.d openvpn restart

...you should find that openvpn will kill qbittorrent when the link
goes down. Actually, since I'm looking at the qbittorrent fix right
now, and also considering how involved the whole shorewall thing is, I suggest
using this method. I don't want to lead you down the route of setting
something up which can be a bit of a minefield even to me with 10+ years
Unix experience; without your having a basic understanding of how
shorewall (and therefore iptables) works. It may be overkill in any case
:)..

You could potentially add another line to openvpn config to restart
qbittorrent when the link is back up, but I think you'd have to use
qbittorrent-nox to do it: since I can't think of a way of starting a
graphical app from openvpn easily.. I will think about this today, but
anyway I don't think it's really difficult to fix the qbittorrent source
code ... or maybe the author has it already. I'll keep you posted, because
this is the cleanest solution.

The shorewall way(!). You'll want to install shorewall with sudo apt-get
install shorewall and then take a look at the quickstart guide to get an
idea how it works. The world is divided into "zones".. up to you how you
define them.
Ignore anything about a "tunnels" file in the docs, it's deprecated. I do
it something like this: I have a PC connected to the internet via an ethernet
ADSL modem on eth2 and I divide the "zones" file like this:

/etc/shorewall/zones:

fw ipv4
net ipv4
vpn ipv4
lan ipv4

then I have an interfaces file:

/etc/shorewall/interfaces:

- eth2 detect tcpflags,nosmurfs
vpn vpn0 - tcpflags,nosmurfs,optional

the hosts file is needed because obviously my router is attached to the
same interface (eth2) as the "internet" and you don't want to treat the
router with same rules as an internet site:

/etc/shorewall/hosts:

lan eth2:10.9.9.0/24 -
net eth2:!10.9.9.0/24 -

so I'm saying any traffic from 10.9.9.* on eth2 is "lan" zone and anything
from any other addresses is "net" zone. It already knows about the "vpn"
zone which comes from the "vpn0" interface; and also the "fw" zone which
is anything local.

Then you have to create a policy and a rules file. The policy is general
rules, which zones can talk to which zones, and this is why you need some
understanding of firewalls/iptables. For example I can have:

/etc/shorewall/policy

$FW vpn ACCEPT
$FW net REJECT
vpn $FW DROP
net $FW DROP

which says allow traffic from this PC to the "vpn" zone (which is anything
going over vpn0 interface) but not to the "net" zone, which will stop any
traffic over the eth2 interface to the outside world. The next one says
drop anything incoming from vpn or net to me - except for related and
established connections.

Then you get on to a rules file, since above I have said to reject traffic
from me to the net, I need a specific exception to allow the openvpn
connection.. so you take the IP from /etc/openvpn/*.conf for your tunnel
provider (--remote xx.xx.xx.xx) and put

/etc/shorewall/rules

ACCEPT $FW net:xx.xx.xx.xx UDP 1194 - - - :root

assuming your openvpn connection is UDP 1194 this will allow root to
bypass the policy above and make a connection to this host on this port.
This is therefore an exception to the rule; if you had such a config no
internet traffic would be allowed AT ALL via the eth2 interface EXCEPT for
this one address.. so if the vpn0 interface went down, nothing would "leak
out".

But you can do it in other ways, you can either block everything and make
exceptions for example for web browsing, and add them as you need them, or
allow and block certain things. For example you could run qbittorrent as
another user in a group qbittorrent and block access to the "net" zone for
group qbittorent.. dependent on what else you do. Like I said it may be
overkill, but if you want a secure system you do need a firewall, and if
you want to be absolutely secure that none of your traffic goes down the
wrong pipe then this is the way to do it.

Feel free to email me back, bit busy today but will get back to you as
soon as.

Hi Jameen,

I am so dumb when it comes to computers in general and Ubuntu in
particular, that I'm afraid the huge amount of work you put into your
explanation is just over my head. Even the "quick and dirty" solution
is beyond me. For example, I don't understand what
"/etc/openvpn/<something>.conf" means or how I'm supposed to enter it
into a terminal. Does "openvpn" mean that you assume I'm using
OpenVPN? (Actually, I use a commercial VPN service called Linkideo.)
And what does the <something> mean? And am I supposed to enter a
command before the "/etc"? And when you write "edit with sudo vi
/etc/openvpn/... or whichever editor you use", that just makes no
sense at all to me, unfortunately. I mean, instead of "openvpn" do I
put "linkideo"? And what does "/..." mean?

So now you have some idea of how really, really stupid I am in a
situation like this!

Look, I don't want you to waste your time on an idiot. I'm sure you
have more important things to do. I think the best thing would be for
me to wait until a future version of qbittorrent offers an easily
usable option that will simply cause qbittorrent to shut itself down
if the VPN connection is interrupted. In the meantime, I have Windows
7 on one partition on my hard disc, and when I want to download
something with a secure connection, I can go to that partition and use
utorrent and VPNetMon. I don't like to have to use Windows, but in
this case, people like me just have no alternative.

See, the thing about Linux/Ubuntu is this: it's a great operating
system for people who know something about computers, but for us
average know-nothings, it's still just too complicated in many ways. I
realize Ubuntu is trying to be user-friendly with all those cute
little icons, but in a lot of cases, it's just not very user-friendly
at all. I mean, things that are so easy to do in Windows become
monumental projects with Ubuntu. What can be done in a matter of
seconds on Windows can take hours and hours on Ubuntu, searching
forums and trying out solutions by trial and error. I hope all that
will change sometime in the future, but right now we average guys just
have to use Windows for a lot of activities on our computer that are
just too complex for us using Linux/Ubuntu - activities like trying to
get a torrent client to automatically shut down when the VPN
connection is broken.

I have enormous respect for your knowledge of Linux.

Best regards,

Bob Bennett

On 3 June 2010 16:24, Jameen Aziz <email address hidden> wrote:
> Your question #108738 on qBittorrent changed:
> https://answers.launchpad.net/qbittorrent/+question/108738
>
>    Status: Open => Answered
>
> Jameen Aziz proposed the following answer:
> Actually you'll probably need to learn the basics of shorewall -- it's essentially
> a nicer interface to netfilter (iptables) firewall which is standard on
> Linux - although you *can* just code your own firewall rules with iptables
> (I used to!) shorewall has a nice clean approach to things, and stops you
> making silly errors like blocking access to your own loopback connection.
> I think the first solution is easier for now.. but FYI I've detailed the
> general shorewall setup below as I use it -- it's not perfect either and
> may be too time consuming. Doesn't stop you installing shorewall and
> having a play with it, it won't affect anything by default since it's
> disabled in /etc/default/shorewall.. you can then take a look at the docs
> and get an idea how it works.
>
> there is a quick and dirty way
> of killing qbittorrent in the event that openvpn connection goes down. In
> your openvpn configuration (found in /etc/openvpn/something.conf) you can
> define a script to run when the vpn connection dies - which means you could just
> add the following two lines at the bottom of the /etc/openvpn/<something>.conf:
>
> (edit with sudo vi /etc/openvpn/... or whichever editor you use)
>
> --down killqbt.sh
> --script-security 2
>
> (you may already have script-security [x] just change it to 2).
>
> then you can create a file in /etc/openvpn called killqbt.sh. You'll need
> to do this as root so:
>
> sudo su
> cd /etc/openvpn
> cat<<EOF>>killqbt.sh
> #!/bin/sh
> killall -wq qbittorrent || killall -q -s9 qbittorrent
> EOF
> chmod +x killqbt.sh
>
> after you restart openvpn with something like...
>
> sudo invoke-rc.d openvpn restart
>
> ...you should find that openvpn will kill qbittorrent when the link
> goes down. Actually, since I'm looking at the qbittorrent fix right
> now, and also considering how involved the whole shorewall thing is, I suggest
> using this method. I don't want to lead you down the route of setting
> something up which can be a bit of a minefield even to me with 10+ years
> Unix experience; without your having a basic understanding of how
> shorewall (and therefore iptables) works. It may be overkill in any case
> :)..
>
> You could potentially add another line to openvpn config to restart
> qbittorrent when the link is back up, but I think you'd have to use
> qbittorrent-nox to do it: since I can't think of a way of starting a
> graphical app from openvpn easily.. I will think about this today, but
> anyway I don't think it's really difficult to fix the qbittorrent source
> code ... or maybe the author has it already. I'll keep you posted, because
> this is the cleanest solution.
>
> The shorewall way(!). You'll want to install shorewall with sudo apt-get
> install shorewall and then take a look at the quickstart guide to get an
> idea how it works. The world is divided into "zones".. up to you how you
> define them.
> Ignore anything about a "tunnels" file in the docs, it's deprecated. I do
> it something like this: I have a PC connected to the internet via an ethernet
> ADSL modem on eth2 and I divide the "zones" file like this:
>
> /etc/shorewall/zones:
>
> fw      ipv4
> net     ipv4
> vpn     ipv4
> lan     ipv4
>
> then I have an interfaces file:
>
> /etc/shorewall/interfaces:
>
> -       eth2    detect  tcpflags,nosmurfs
> vpn     vpn0    -       tcpflags,nosmurfs,optional
>
> the hosts file is needed because obviously my router is attached to the
> same interface (eth2) as the "internet" and you don't want to treat the
> router with same rules as an internet site:
>
> /etc/shorewall/hosts:
>
> lan     eth2:10.9.9.0/24        -
> net     eth2:!10.9.9.0/24       -
>
> so I'm saying any traffic from 10.9.9.* on eth2 is "lan" zone and anything
> from any other addresses is "net" zone. It already knows about the "vpn"
> zone which comes from the "vpn0" interface; and also the "fw" zone which
> is anything local.
>
> Then you have to create a policy and a rules file. The policy is general
> rules, which zones can talk to which zones, and this is why you need some
> understanding of firewalls/iptables. For example I can have:
>
> /etc/shorewall/policy
>
> $FW     vpn     ACCEPT
> $FW     net     REJECT
> vpn     $FW     DROP
> net     $FW     DROP
>
> which says allow traffic from this PC to the "vpn" zone (which is anything
> going over vpn0 interface) but not to the "net" zone, which will stop any
> traffic over the eth2 interface to the outside world. The next one says
> drop anything incoming from vpn or net to me - except for related and
> established connections.
>
> Then you get on to a rules file, since above I have said to reject traffic
> from me to the net, I need a specific exception to allow the openvpn
> connection.. so you take the IP from /etc/openvpn/*.conf for your tunnel
> provider (--remote xx.xx.xx.xx) and put
>
> /etc/shorewall/rules
>
> ACCEPT  $FW     net:xx.xx.xx.xx UDP 1194 - - - :root
>
> assuming your openvpn connection is UDP 1194 this will allow root to
> bypass the policy above and make a connection to this host on this port.
> This is therefore an exception to the rule; if you had such a config no
> internet traffic would be allowed AT ALL via the eth2 interface EXCEPT for
> this one address.. so if the vpn0 interface went down, nothing would "leak
> out".
>
> But you can do it in other ways, you can either block everything and make
> exceptions for example for web browsing, and add them as you need them, or
> allow and block certain things. For example you could run qbittorrent as
> another user in a group qbittorrent and block access to the "net" zone for
> group qbittorent.. dependent on what else you do. Like I said it may be
> overkill, but if you want a secure system you do need a firewall, and if
> you want to be absolutely secure that none of your traffic goes down the
> wrong pipe then this is the way to do it.
>
> Feel free to email me back, bit busy today but will get back to you as
> soon as.
>
>
>

After spending countless hours trying to achieve the above, I can say I was absolutely delighted to find this thread - it really has been a lifesaver. Using your instructions, I am almost there but haven't managed to make it work yet - wondering if you/someone might be able to help with the last steps? I am running this via ssh on a Pogoplug running Plugbox Linux, below are my settings as I had to adapt them a little:

/etc/shorewall/zones:

fw firewall
net ipv4
vpn ipv4
lan ipv4

I had to change "fw ipv4" as under "shorewall check" this brings up an error of "no firewall zone defined":

/etc/shorewall/interfaces:

- eth0 detect tcpflags,nosmurfs
vpn tap0 - tcpflags,nosmurfs,optional

/etc/shorewall/hosts:

lan eth0:192.168.0.0/24 -
net eth0:!192.168.0.0/24 -

I move my Plugbox between 3 different LANs which are starting 192.168.x.* , with x being either 1,2 or 11 so I think this should cover it.

/etc/shorewall/policy

$FW vpn ACCEPT
$FW net REJECT
vpn $FW DROP
net $FW DROP

After running "shorewall check" I get errors relating to no policies being set between other interfaces. I therefore tried (at the end of the list):
all all REJECT

The problem being that all internet access is rejected when shorewall is restarted (ssh is fine) - I cannot ping an ip address or number. It makes absolutely no difference whether I am connected to the vpn or not. What is really strange is that I cannot ping the router or any lan PC, including the one from which I am logged in via ssh but ssh is fine!

I therefore tried replacing all, all with the following but the outcome is the same:
net vpn DROP
vpn net DROP
net lan DROP
lan net DROP
vpn lan ACCEPT
lan vpn ACCEPT

/etc/shorewall/rules

ACCEPT $FW net:188.126.68.0/22 udp 1194 - - - :root
ACCEPT $FW net:178.73.208.0/22 udp 1194 - - - :root
ACCEPT $FW net:80.67.14.0/23 udp 1194 - - - :root

My VPN provider lists the 3 IP ranges above in their FAQ. During my last test, my IP was 188.126.68.172.

Is anyone able to help?

I forgot to mention that I also had to add the following in /etc/shorewall/policy - otherwise there would be an error of no policy being set:

$FW lan ACCEPT
lan $FW ACCEPT

Anyone?