I currenly reside in a country with strict piracy rules but also have access to the internet in a country where piracy is not enforced. I want to setup a VPN and route qBittorrent’s traffic through it. The idea is to do something like this:
I am fresh to selfhosting and most of the time have no clue how to achieve what I want. So far I have tried Tailscale but I think it won’t work how I want it to. If it helps, I have domain name registered. Can anybody point me to the right direction?
Update (if anyone is seeking answers):
I went with tailscale which I have already set up before on the rpi3. Somehow, no matter what I try, wireguard or pivpn would not work. Maybe I have hands growing out of my ass or something, no idea.
What did work is Dante. I setup socks5 on pi through tailscale0 and it worked wonders. Qbittorent did connect and detected IP of rpi3. The best part is that opposed to wireguard, dedicated port does not have to be open in order for Dante to work. I see it as a win win! Now I’m hyped to go back to my homeland and install pi there.
Raspberry Pi:
- Install wireguard (as a server)
- Set up a peer/client config
- Open wireguard port on the router
MiniPC:
- Install wireguard (as a client)
- Add server config and connect to server
- Verify connection
- Ensure connect on boot
Points to note:
-
Configure them both locally and ensure you have a connection before you move the pi to another country
-
If you’re behind a CGNAT on one network, that’ll change some things. That network will have to be the client. (If both are behind CGNAT, you’re out of luck and cant use this - will have to be tailscale or other method)
-
If using a domain name make sure its always pointing to your ip (in case it’s not static)
-
I think if you set allowed ip as 0.0.0.0/0 on the client it’ll route all traffic.
Edit:
Saw your comment about just having qbt use the vpn. Check this guide out
I will look into WireGuard! Thank you!
Why can’t you just use a VPN service, locally? It’s essentially the same thing, except you don’t have to host the exit node in country B yourself.
Tailscale is wireguard behind the scenes. I would think it should be able to work as you describe, you would again just set your machine in country B as the exit node.
None of this should require a domain name.
I have to pay for a VPN service. If I can skip paying by hosting it myself, I’d go the distance. It has been fun selfhosting services so far. I want to go deeper.
MiniPC runs Mint. I will check firejail. Thank you!
Doesn’t firejail only allow sandboxing to an actual eth or wifi interface, and not a wireguard one? I’ve tried this before with firejail, and hit this wall.
Damn you’re right, it doesn’t work out of the box like I expected. Have to admit that I never used it this way around. But it should work with --netns (network name spaces) which Wireguard uses: https://www.wireguard.com/netns/
Afaik it should work if you move Wireguard to it’s own namespace and than start qBittorrent with the new namespace (should even be doable without firejail).
@imetators @lemmy.dbzer0.com sorry for chasing you down that rabbit-hole, it sounded easier in my head
You can absolutely use Tailscale; your host in the unrestricted country needs to be set up as an exit node (CLI argument in Linux, or a menu option in the system tray in Windows.)
Then, your local machine needs to be set up to use that remote machine as its exit node. (tailscale up --exit-node=remote-tailnet-ip-here)
I am thinking to do this but only one thing bothers me. I want only qBittorrent to be using VPN, not the rest of the machine. Is there a way to set only qBittorrent with Tailscale?
Ah, sorry I hadn’t appreciated you were after split tunnelling… You can do this with Tailscale for services where you’re connecting to a fixed IP/FQDN, which I think rules out torrenting/P2P unfortunately.
The only way I’ve seen to pass a specific app’s traffic through Tailscale appears to be an Android exclusive feature.
If I’m wrong someone please correct me!
Anyone who knows enough about Wireguard, iproute2 tools, iptables/nftables, etc (firewall-marking certain packets based on criteria, then directing them through alternate route-tables based on that) can hand-roll split-tunneling, internal point-to-point tunnels/meshes, etc. For (most) people who want to achieve this in a less painful/fragile way, from what I’ve understood it seems Tailscale just does exactly this under the hood in a less arduous and more intuitive way for users, while also providing a static internet-facing ingress point when needed. Headscale exists for those wanting that but with their own static ingress (self-hosted at their own IP) instead of Tailscale’s.
A second option for docker is the hotio image for qbit. Has VPN support built in so you can just throw it your wg0 conf to use.
Check out I2P. No need for this setup.
I cannot resist enjoyng the idea that there could be countries where piracy is enforced :)
You can use socks server for download toorrents. Best choise insert socks traffic to wireguard connection and use sockd for outgoing and clean wireguard + port forwarding for incoming connections.
And you can use i2p network for download torrents in that networks. qBittorrent support it in experimental mode.
run installer
curl -L https://install.pivpn.io/ | bash- configure wireguard
- setup non root user
- Set a port
Create a user with
pivpn addExample:
root@funhaus:~# pivpn add Enter a Name for the Client: user.nameThe conf file can also be found in
/home/user.name/configsCopy the conf to your machine. Install WireGuard and use that conf.
In qbitorrent you should make sure the application is set to use the VPN network, otherwise it’ll use both. Go to Settings > Advanced > Set Wireguard from “Network Interface”
Check if that raspberry pi is behind CGNAT. In that case you’ll need something else to tunnel through, like Tailscale that was mentioned elsewhere.
