imetators

Need help with VPN

https://lemmy.dbzer0.com/post/54431750

Need help with VPN - Divisions by zero

I currenly reside in a country with strict piracy rules but also have access to the internet in a country where piracy is not enforced. I want to setup a VPN and route qBittorrent’s traffic through it. The idea is to do something like this: [https://lemmy.dbzer0.com/pictrs/image/0359a687-7bfe-4cee-b5d3-01a6c35f1601.webp] I am fresh to selfhosting and most of the time have no clue how to achieve what I want. So far I have tried Tailscale but I think it won’t work how I want it to. If it helps, I have domain name registered. Can anybody point me to the right direction?

Sep 29 at 5:45amWeb
Show threadDr. WeskerSep 29

Why can’t you just use a VPN service, locally? It’s essentially the same thing, except you don’t have to host the exit node in country B yourself.

Tailscale is wireguard behind the scenes. I would think it should be able to work as you describe, you would again just set your machine in country B as the exit node.

None of this should require a domain name.

Show threadimetatorsSep 29
I have to pay for a VPN service. If I can skip paying by hosting it myself, I’d go the distance. It has been fun selfhosting services so far. I want to go deeper.
Show threadabominable_pandaSep 29

Raspberry Pi:

  • Install wireguard (as a server)
  • Set up a peer/client config
  • Open wireguard port on the router

    • MiniPC:

  • Install wireguard (as a client)
  • Add server config and connect to server
  • Verify connection
  • Ensure connect on boot

    • Points to note:

    • Configure them both locally and ensure you have a connection before you move the pi to another country

    • If you’re behind a CGNAT on one network, that’ll change some things. That network will have to be the client. (If both are behind CGNAT, you’re out of luck and cant use this - will have to be tailscale or other method)

    • If using a domain name make sure its always pointing to your ip (in case it’s not static)

    • I think if you set allowed ip as 0.0.0.0/0 on the client it’ll route all traffic.

    Show threadimetatorsSep 29
    I will look into WireGuard! Thank you!
    Show threaddudenasSep 29
    I cannot resist enjoyng the idea that there could be countries where piracy is enforced :)
    Show threadBorgerSep 29

    You can absolutely use Tailscale; your host in the unrestricted country needs to be set up as an exit node (CLI argument in Linux, or a menu option in the system tray in Windows.)

    Then, your local machine needs to be set up to use that remote machine as its exit node. (tailscale up --exit-node=remote-tailnet-ip-here)

    Show threadimetatorsSep 29
    I am thinking to do this but only one thing bothers me. I want only qBittorrent to be using VPN, not the rest of the machine. Is there a way to set only qBittorrent with Tailscale?
    Show threadBorgerSep 29

    Ah, sorry I hadn’t appreciated you were after split tunnelling… You can do this with Tailscale for services where you’re connecting to a fixed IP/FQDN, which I think rules out torrenting/P2P unfortunately.

    The only way I’ve seen to pass a specific app’s traffic through Tailscale appears to be an Android exclusive feature.

    If I’m wrong someone please correct me!

    Show threadRowan ThorpeSep 29
    Anyone who knows enough about Wireguard, iproute2 tools, iptables/nftables, etc (firewall-marking certain packets based on criteria, then directing them through alternate route-tables based on that) can hand-roll split-tunneling, internal point-to-point tunnels/meshes, etc. For (most) people who want to achieve this in a less painful/fragile way, from what I’ve understood it seems Tailscale just does exactly this under the hood in a less arduous and more intuitive way for users, while also providing a static web-facing ingress point when needed. Headscale exists for those wanting that but with their own static ingress (self-hosted at their own IP) instead of Tailscale’s.
    Show threadAtherelSep 29

    Wireguard on the pi was already mentioned.

    If you use docker containers, you could use Gluetun to route its traffic through the VPN. Without containers, on Linux you can use firejail to restrict qBittrorrent to the vpn interface. On windows… no idea, sry.

    gluetun-wiki/setup/connect-a-container-to-gluetun.md at main · qdm12/gluetun-wiki

    Home to the Markdown Wiki page for Gluetun. Contribute to qdm12/gluetun-wiki development by creating an account on GitHub.

    GitHub
    Show threadimetatorsSep 29
    MiniPC runs Mint. I will check firejail. Thank you!
    Show threadDr. WeskerSep 29
    Doesn’t firejail only allow sandboxing to an actual eth or wifi interface, and not a wireguard one? I’ve tried this before with firejail, and hit this wall.
    Show threadAtherelSep 29

    Damn you’re right, it doesn’t work out of the box like I expected. Have to admit that I never used it this way around. But it should work with --netns (network name spaces) which Wireguard uses: www.wireguard.com/netns/

    Afaik it should work if you move Wireguard to it’s own namespace and than start qBittorrent with the new namespace (should even be doable without firejail).

    @imetators @lemmy.dbzer0.com sorry for chasing you down that rabbit-hole, it sounded easier in my head

    Routing & Network Namespaces - WireGuard

    Show threadplantsmakemehappySep 29
    A second option for docker is the hotio image for qbit. Has VPN support built in so you can just throw it your wg0 conf to use.
    Show threadzer0bitzSep 29
    Check out I2P. No need for this setup.
    I2P Anonymous Network

    Anonymous peer-to-peer distributed communication layer built with open source tools and designed to run any traditional Internet service such as email, IRC or web hosting.

    Show threadquantSep 30
    Check if that raspberry pi is behind CGNAT. In that case you’ll need something else to tunnel through, like Tailscale that was mentioned elsewhere.