Force Traffic Through Torguard VPN on Ubuntu VM

[Lz129hindenburg 0]

Greetings,

 

I'm a long time user of Torguard on Windows machines but have recently made a change to my setup.  I'm now choosing to run my VPN on an ubuntu VM (via virtualbox) on a host windows machine.  My windows host I never run VPN on anymore, but my VM runs torguard VPN all the time.  I've installed and am running torguard on the VM with no problems, but I want to have the extra security of making sure torrent traffic is stopped if the VPN for some reason goes down.   I'm relatively new to both virtual machines and linux.  I want to do one of two things, whichever is easier:

 

• Force all traffic on the VM through torguard, stopping all network access on the VM if the VPN connection is lost OR
• Force all traffic on my torclient (I'm using transmission) through torguard, stopping all torrents if the VPN connection is lost

 

I am familiar with how to do this on windows/qbittorrent but not with ubuntu/transmission.  I've tried to follow along with some similar posts but it seems my setup is slightly different than others I've encountered.  Can anyone help?

 

Thanks...

[username 0]

ufw enable
ufw default deny outgoing
ufw default deny incoming
ufw allow out from 192.168.1.0/24 to 192.168.1.0/24
ufw allow in from 192.168.1.0/24 to 192.168.1.0/24
ufw allow out to any port 1912
ufw allow out on tun0 from any to any
ufw allow in on tun0 from any to any

Not an expert, use at your own risk, but...  I used the above commands for mine (Ubuntu server 2020.4) and it mostly works.  It denies pretty much anything except a connection to an openvpn server, the local network, and anything going through the VPN.

Run the above commands once and they persist after reboot ("ufw reset" if you mess up.) 

A weakness is in that "any port 1912" line.  It is to allow an outbound connection to any torguard vpn (the port is specified in your openvpn config and it should be tcp 1912 by default), but actually it allows that connection to ANY server meaning that it's remotely possible that your client could connect to a torrent via port 1912.  Ideally it would be limited to the server that you are using by replacing "any" in that line with the IP of the server you want to use.

Since DNS is not allowed, all addresses must be IP, not the dns name (applies to firewall and openvpn configuration--after the VPN is up, dns will go thru it.)  If you have a favorite trusted (secure) DNS, you could allow that in a line similar to "ufw allow to 1.1.1.1 port dnssec" where 1.1.1.1 is the IP of your dns server.  Note that using your local router as a dns server (typically 192.168.1.1) will probably create a dns leak because your real IP will be used for requests.

Another thing I just thought about is the wisdom of the "allow in on tun0 from any to any" and "allow out on tun0 from any to any".  It is a) exposing you to anything coming through the vpn and b) potentially allowing others to use your server as a gateway.  Maybe remove "to any" and "from any" respectively?

Also note that my local IP is 192.168.1.0/24--yours might be different.