Hello comrades, I recently started to selfhost my own VPN. I thought of using a regular VPN provider but I don’t trust the cheap ones and the good ones are too costly for my needs. So I started to rent a cheap one core VPS (DMCA ignored of course) for 2,5€/month. Before that I tried some seedboxes from some cheap providers, but the amount of control you have there was absolutely terrible. If they have SSH access, you have no sudo permission.
One of those providers I tried just deploys docker containers and then using some fancy marketing they make a good amount of cash from something that one can do oneself with a little bit of technical knowledge. And then when something doesn’t work; good luck my friend.
So that’s why I choose a VPS where you have maximum control. Setting it all up including security measures and a custom OS is very fun. My distro of choice is Devuan. I’m running a Debian based distro myself and having no systemd not only boosts the startup time, but saves some system resources, which is especially important on a server with 1 GB RAM.
Installing Devuan was quite an adventure. Navigating their website to find the right download is like cruising a wild jungle. After choosing a mirror to downloaded from, one has to check the name of the latest release. After that I selected “installer-iso”. In there I grabed the netinstall. From there the real adventure began. Among the “standard stuff” I had to specify the DNS and netmask, nothing wild. I didn’t installed a desktop environment of course, just the ssh-server components.
I then followed Wolgangs guide to setup SSH. Managing a computer without a desktop environment is something I never had done before and while on a desktop PC this can be a horrifying experience, it’s really fun to operate a remote system via command line. For enhanced security I activated and configured ufw. Many distros comes preinstalled with gufw, so setting up ufw wasn’t a big deal.
Without systemd many Wireguard install script doesn’t work, so I installed Wireguard via docker-compose with the help of Christian Lempas wonderful guide. Amazing guy. I had to enter the DNS servers manually so that the actual DNS addresses of the server are used.
I tried to route IPv6 traffic through the VPN by entering the IPv6 address in brackets into the docker-compose.yaml, adding ::/0 in the AllowedIPs, but it all didn’t worked. So I had to deactivate IPv6 on my system and in the network manager. This stopped all IPv6 leaks.
As killswitch I found this easy method. I tested it and it works. No IP-leaks anymore.
To prevent DNS leaks I found these commands: sudo iptables -A OUTPUT -p udp --dport 53 -j DROP, sudo iptables -A OUTPUT -p tcp --dport 53 -j DROP.
I tried the ufw equivalent sudo ufw deny out 53/udp, sudo ufw deny out 53/tcp, but it blocks internet access.
I make the iptables persistent with iptables-save since iptables-persistent conflicts with gufw and ufw.
With this setup I started my torrent client and saw that I’m barely seeding. That’s not cool. I tried to set up port forwarding with a lot of iptables and routing tables like this one but when checking the port it’s always closed.
So what now? My goal is to torrent over the I2P. I see a lot of potential in the I2P. It is basically what people envisioned the internet to be in the 90s. Since the internet is a military technology, freedom was never implicated, so even with a lot of obfuscation and circumvention, there is always some trouble when using clearnet. My intention with the VPN is to port over clearnet torrents to I2P. Thus the reliance on VPNs can be decreased.
As mentioned in the comments, the VPN isn’t really viable here. That being said, your DNS iptable statements don’t work for two reasons:
You would have to have an ACCEPT statement to allow the DNS traffic through the VPN. Something like:
iptables -A OUTPUT -o tun0 -p udp --dport 53 -j ACCEPTWhy do you think that a VPN isn’t viable?
I don’t understand it, why doesn’t these commands block internet access when they block DNS traffic like the ufw command?
The problem here is that it sounds like you think torrenting traffic is using the self-hosted VPN, but that wouldn’t be true. Here is how it sounds like it is currently working: Torrent Client -> VPN interface -> Default interface -> Torrent Users You could probably confirm that with mtr/traceroutes and bmon.
The reason your internet goes done when you run your iptable statements is because you’re preventing DNS resolution which uses UDP 53 from leaving the device. Even if you are running your own DNS server on that VPS, unless you have trackers’ statically mapped, DNS recursion has to be allowed for your VPS to determine host IPs.
Nope, I checked the traffic with mtr and it connects directly to the internal IP address of the server. Also I’ve bound the torrent client to the network interface of the VPN to ensure the traffic goes through the VPN.
I understand. The problem with the rules above though is that it would block my regular network interface even after the VPN goes down. That’s why I created some postup and postdown rules for the Wireguard config.
PostUp = iptables -I OUTPUT -o %i -p udp --dport 53 -j ACCEPT && iptables -A OUTPUT ! -o %i -p udp --dport 53 -j DROPPreDown = iptables -D OUTPUT -o %i -p udp --dport 53 -j ACCEPT && iptables -D OUTPUT ! -o %i -p udp --dport 53 -j DROPThis only activates the rules while the VPN interface is on.So, all traffic leaving the device is going out the VPN? if you
curl ipinfo.iothen does that show an IP address present inip addr?Yes. But
curl ipinfo.ioandip addrdoesn’t match. The first command contacts a server outside the network, so it shows a public IP address while the other shows the internal IP addresses of the network interfaces.Ok, that is what mine and the other comments were addressing. It sounds as if you were VPN’ing into the VPS from your actual location which does nothing as the VPS is registered to you. If you are running a VPN client locally on the VPS and connecting through a VPN provider that is different.